[ https://issues.apache.org/jira/browse/HBASE-15328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15168380#comment-15168380 ]
Heng Chen commented on HBASE-15328: ----------------------------------- At least, we could check whether request.getServerName is our valid RS or not. > Unvalidated Redirect in HMaster > ------------------------------- > > Key: HBASE-15328 > URL: https://issues.apache.org/jira/browse/HBASE-15328 > Project: HBase > Issue Type: Bug > Components: security > Reporter: stack > Priority: Minor > > See OWASP page on why we should clean it up someday: > https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet > Here is where we do the redirect: > {code} > @Override > public void doGet(HttpServletRequest request, > HttpServletResponse response) throws ServletException, IOException { > String redirectUrl = request.getScheme() + "://" > + request.getServerName() + ":" + regionServerInfoPort > + request.getRequestURI(); > response.sendRedirect(redirectUrl); > } > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)