[jira] [Updated] (SENTRY-2120) Potential cross-site scripting in LogLevelServlet
[ https://issues.apache.org/jira/browse/SENTRY-2120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2120: -- Description: LogLevelServlet.java has the following code {code} public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String logName = getParameter(request, "log"); String level = getParameter(request, "level"); response.setContentType("text/html;charset=utf-8"); response.setStatus(HttpServletResponse.SC_OK); PrintWriter out = response.getWriter(); if (logName != null) { Logger logInstance = LogManager.getLogger(logName); if (level == null) { out.write(String.format(FORMS_GET, escapeHtml(logName), logInstance.getEffectiveLevel().toString())); } else if (isLogLevelValid(level)) { logInstance.setLevel(Level.toLevel(level)); out.write(String.format(FORMS_SET, escapeHtml(logName), level, level, logInstance.getEffectiveLevel().toString())); } else { response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log level: " + level); return; } } out.write(FORMS_END); out.close(); response.flushBuffer(); } {code} As a result HTTP parameter is directly written to Servlet error page. Echoing this untrusted input to error message directly is a bad practice for security purpose. For best practice, we should escape the input string. was: LogLevelServlet.java has the following code {code} public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String logName = getParameter(request, "log"); String level = getParameter(request, "level"); response.setContentType("text/html;charset=utf-8"); response.setStatus(HttpServletResponse.SC_OK); PrintWriter out = response.getWriter(); if (logName != null) { Logger logInstance = LogManager.getLogger(logName); if (level == null) { out.write(String.format(FORMS_GET, escapeHtml(logName), logInstance.getEffectiveLevel().toString())); } else if (isLogLevelValid(level)) { logInstance.setLevel(Level.toLevel(level)); out.write(String.format(FORMS_SET, escapeHtml(logName), level, level, logInstance.getEffectiveLevel().toString())); } else { response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log level: " + level); return; } } out.write(FORMS_END); out.close(); response.flushBuffer(); } {code} As a result HTTP parameter is directly written to Servlet error page. Echoing this untrusted input allows for a reflected cross site scripting. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information. > Potential cross-site scripting in LogLevelServlet > - > > Key: SENTRY-2120 > URL: https://issues.apache.org/jira/browse/SENTRY-2120 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.0.0, 2.1.0 >Reporter: Na Li >Assignee: Na Li > Attachments: SENTRY-2120.001.patch, SENTRY-2120.001.patch > > > LogLevelServlet.java has the following code > {code} > public void doGet(HttpServletRequest request, HttpServletResponse response) > throws ServletException, IOException { > String logName = getParameter(request, "log"); > String level = getParameter(request, "level"); > response.setContentType("text/html;charset=utf-8"); > response.setStatus(HttpServletResponse.SC_OK); > PrintWriter out = response.getWriter(); > if (logName != null) { > Logger logInstance = LogManager.getLogger(logName); > if (level == null) { > out.write(String.format(FORMS_GET, > escapeHtml(logName), > logInstance.getEffectiveLevel().toString())); > } else if (isLogLevelValid(level)) { > logInstance.setLevel(Level.toLevel(level)); > out.write(String.format(FORMS_SET, > escapeHtml(logName), > level, > level, > logInstance.getEffectiveLevel().toString())); > } else { > response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log > level: " + level); > return; > } > } > out.write(FORMS_END); > out.close(); > response.flushBuffer(); > } > {code} > As a result HTTP parameter is directly written to Servlet error page. Echoing > this untrusted input to error message directly is a bad practice for security > purpose. For best practice, we should escape the input string.
[jira] [Updated] (SENTRY-2120) Potential cross-site scripting in LogLevelServlet
[ https://issues.apache.org/jira/browse/SENTRY-2120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2120: -- Summary: Potential cross-site scripting in LogLevelServlet (was: cross-site scripting vulnerability in LogLevelServlet) > Potential cross-site scripting in LogLevelServlet > - > > Key: SENTRY-2120 > URL: https://issues.apache.org/jira/browse/SENTRY-2120 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.0.0, 2.1.0 >Reporter: Na Li >Assignee: Na Li > Attachments: SENTRY-2120.001.patch, SENTRY-2120.001.patch > > > LogLevelServlet.java has the following code > {code} > public void doGet(HttpServletRequest request, HttpServletResponse response) > throws ServletException, IOException { > String logName = getParameter(request, "log"); > String level = getParameter(request, "level"); > response.setContentType("text/html;charset=utf-8"); > response.setStatus(HttpServletResponse.SC_OK); > PrintWriter out = response.getWriter(); > if (logName != null) { > Logger logInstance = LogManager.getLogger(logName); > if (level == null) { > out.write(String.format(FORMS_GET, > escapeHtml(logName), > logInstance.getEffectiveLevel().toString())); > } else if (isLogLevelValid(level)) { > logInstance.setLevel(Level.toLevel(level)); > out.write(String.format(FORMS_SET, > escapeHtml(logName), > level, > level, > logInstance.getEffectiveLevel().toString())); > } else { > response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log > level: " + level); > return; > } > } > out.write(FORMS_END); > out.close(); > response.flushBuffer(); > } > {code} > As a result HTTP parameter is directly written to Servlet error page. Echoing > this untrusted input allows for a reflected cross site scripting > vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more > information. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (SENTRY-2120) Potential cross-site scripting in LogLevelServlet
[ https://issues.apache.org/jira/browse/SENTRY-2120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2120: -- Description: LogLevelServlet.java has the following code {code} public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String logName = getParameter(request, "log"); String level = getParameter(request, "level"); response.setContentType("text/html;charset=utf-8"); response.setStatus(HttpServletResponse.SC_OK); PrintWriter out = response.getWriter(); if (logName != null) { Logger logInstance = LogManager.getLogger(logName); if (level == null) { out.write(String.format(FORMS_GET, escapeHtml(logName), logInstance.getEffectiveLevel().toString())); } else if (isLogLevelValid(level)) { logInstance.setLevel(Level.toLevel(level)); out.write(String.format(FORMS_SET, escapeHtml(logName), level, level, logInstance.getEffectiveLevel().toString())); } else { response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log level: " + level); return; } } out.write(FORMS_END); out.close(); response.flushBuffer(); } {code} As a result HTTP parameter is directly written to Servlet error page. Echoing this untrusted input allows for a reflected cross site scripting. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information. was: LogLevelServlet.java has the following code {code} public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String logName = getParameter(request, "log"); String level = getParameter(request, "level"); response.setContentType("text/html;charset=utf-8"); response.setStatus(HttpServletResponse.SC_OK); PrintWriter out = response.getWriter(); if (logName != null) { Logger logInstance = LogManager.getLogger(logName); if (level == null) { out.write(String.format(FORMS_GET, escapeHtml(logName), logInstance.getEffectiveLevel().toString())); } else if (isLogLevelValid(level)) { logInstance.setLevel(Level.toLevel(level)); out.write(String.format(FORMS_SET, escapeHtml(logName), level, level, logInstance.getEffectiveLevel().toString())); } else { response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log level: " + level); return; } } out.write(FORMS_END); out.close(); response.flushBuffer(); } {code} As a result HTTP parameter is directly written to Servlet error page. Echoing this untrusted input allows for a reflected cross site scripting vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information. > Potential cross-site scripting in LogLevelServlet > - > > Key: SENTRY-2120 > URL: https://issues.apache.org/jira/browse/SENTRY-2120 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.0.0, 2.1.0 >Reporter: Na Li >Assignee: Na Li > Attachments: SENTRY-2120.001.patch, SENTRY-2120.001.patch > > > LogLevelServlet.java has the following code > {code} > public void doGet(HttpServletRequest request, HttpServletResponse response) > throws ServletException, IOException { > String logName = getParameter(request, "log"); > String level = getParameter(request, "level"); > response.setContentType("text/html;charset=utf-8"); > response.setStatus(HttpServletResponse.SC_OK); > PrintWriter out = response.getWriter(); > if (logName != null) { > Logger logInstance = LogManager.getLogger(logName); > if (level == null) { > out.write(String.format(FORMS_GET, > escapeHtml(logName), > logInstance.getEffectiveLevel().toString())); > } else if (isLogLevelValid(level)) { > logInstance.setLevel(Level.toLevel(level)); > out.write(String.format(FORMS_SET, > escapeHtml(logName), > level, > level, > logInstance.getEffectiveLevel().toString())); > } else { > response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log > level: " + level); > return; > } > } > out.write(FORMS_END); > out.close(); > response.flushBuffer(); > } > {code} > As a result HTTP parameter is directly written to Servlet error page. Echoing > this untrusted input allows for a reflected cross site scripting. See > http://en.wikipedia.org/wiki/Cross-site_scripting for more