[jira] [Updated] (HBASE-17424) Protect REST client against malicious XML responses.
[ https://issues.apache.org/jira/browse/HBASE-17424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-17424: --- Fix Version/s: (was: 1.4.0) > Protect REST client against malicious XML responses. > > > Key: HBASE-17424 > URL: https://issues.apache.org/jira/browse/HBASE-17424 > Project: HBase > Issue Type: Bug > Components: REST >Reporter: Josh Elser >Assignee: Josh Elser > Fix For: 2.0.0, 1.3.0, 1.2.5, 1.1.9 > > Attachments: HBASE-17424.001.patch, HBASE-17424.002.patch > > > If, by some means, an unsuspecting REST server client would get a malformed > response from the REST server, it could result in the client performing some > unintended action from the XML parsing. > We should disable these extra options on the XML parser to prevent the > possibility. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (HBASE-17424) Protect REST client against malicious XML responses.
[ https://issues.apache.org/jira/browse/HBASE-17424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Josh Elser updated HBASE-17424: --- Resolution: Fixed Status: Resolved (was: Patch Available) Thanks for the review, Ted. Tested each branch using oraclejkd8, openjdk 8, and oracle jdk7. > Protect REST client against malicious XML responses. > > > Key: HBASE-17424 > URL: https://issues.apache.org/jira/browse/HBASE-17424 > Project: HBase > Issue Type: Bug > Components: REST >Reporter: Josh Elser >Assignee: Josh Elser > Fix For: 2.0.0, 1.3.0, 1.4.0, 1.2.5, 1.1.9 > > Attachments: HBASE-17424.001.patch, HBASE-17424.002.patch > > > If, by some means, an unsuspecting REST server client would get a malformed > response from the REST server, it could result in the client performing some > unintended action from the XML parsing. > We should disable these extra options on the XML parser to prevent the > possibility. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-17424) Protect REST client against malicious XML responses.
[ https://issues.apache.org/jira/browse/HBASE-17424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Josh Elser updated HBASE-17424: --- Attachment: HBASE-17424.002.patch .002 Thanks for the review, Ted. This turned out to be a really good exception as I had incorrect "bad" XML. I took a similar, but slightly different, approach to verify that the exception is the one we're expecting. > Protect REST client against malicious XML responses. > > > Key: HBASE-17424 > URL: https://issues.apache.org/jira/browse/HBASE-17424 > Project: HBase > Issue Type: Bug > Components: REST >Reporter: Josh Elser >Assignee: Josh Elser > Fix For: 2.0.0, 1.3.0, 1.4.0, 1.2.5, 1.1.9 > > Attachments: HBASE-17424.001.patch, HBASE-17424.002.patch > > > If, by some means, an unsuspecting REST server client would get a malformed > response from the REST server, it could result in the client performing some > unintended action from the XML parsing. > We should disable these extra options on the XML parser to prevent the > possibility. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-17424) Protect REST client against malicious XML responses.
[ https://issues.apache.org/jira/browse/HBASE-17424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Josh Elser updated HBASE-17424: --- Attachment: HBASE-17424.001.patch .001 Configures the XML parser to not read external entities and not support DTD's. Includes a basic test. > Protect REST client against malicious XML responses. > > > Key: HBASE-17424 > URL: https://issues.apache.org/jira/browse/HBASE-17424 > Project: HBase > Issue Type: Bug > Components: REST >Reporter: Josh Elser >Assignee: Josh Elser > Fix For: 2.0.0, 1.3.0, 1.4.0, 1.2.5, 1.1.9 > > Attachments: HBASE-17424.001.patch > > > If, by some means, an unsuspecting REST server client would get a malformed > response from the REST server, it could result in the client performing some > unintended action from the XML parsing. > We should disable these extra options on the XML parser to prevent the > possibility. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-17424) Protect REST client against malicious XML responses.
[ https://issues.apache.org/jira/browse/HBASE-17424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Josh Elser updated HBASE-17424: --- Status: Patch Available (was: Open) > Protect REST client against malicious XML responses. > > > Key: HBASE-17424 > URL: https://issues.apache.org/jira/browse/HBASE-17424 > Project: HBase > Issue Type: Bug > Components: REST >Reporter: Josh Elser >Assignee: Josh Elser > Fix For: 2.0.0, 1.3.0, 1.4.0, 1.2.5, 1.1.9 > > Attachments: HBASE-17424.001.patch > > > If, by some means, an unsuspecting REST server client would get a malformed > response from the REST server, it could result in the client performing some > unintended action from the XML parsing. > We should disable these extra options on the XML parser to prevent the > possibility. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
