Major Description
We should do some sanity checking on the user provided data before we blindly pass it to a redirect.
i.e.
public static class RedirectServlet extends HttpServlet { private static final long serialVersionUID = 2894774810058302472L; private static int regionServerInfoPort; @Override public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String redirectUrl = request.getScheme() + "://" + request.getServerName() + ":" + regionServerInfoPort + request.getRequestURI(); response.sendRedirect(redirectUrl); } }
e.g.
- Are we reidrecting to a server that is ours?
- Did we validate the path/query string?
Attachments
Issue Links
- duplicates
-
HBASE-15328 Unvalidated Redirect in HMaster
-
- Resolved
-