From b3c3e2f41a1d61c1655eecaf103906e0031e47fe Mon Sep 17 00:00:00 2001 From: Andrew Purtell Date: Wed, 30 Mar 2022 14:30:53 -0700 Subject: [PATCH] HBASE-26903 Bump httpclient from 4.5.3 to 4.5.13 (#4296) Bump httpclient from 4.5.3 to 4.5.13 to avoid a CVE of medium severity in this dependency. Newer httpclient versions enable a URI normalization algorithm by default that rewrites URIs in a way that breaks some forms of valid REST gateway interactions, so disable it when building the httpclient instance in Client. Signed-off-by: Duo Zhang Signed-off-by: Pankaj Kumar --- .../java/org/apache/hadoop/hbase/rest/client/Client.java | 9 +++++---- pom.xml | 6 +----- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java index 77077337cac..7459f8af0ad 100644 --- a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java +++ b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java @@ -23,7 +23,6 @@ import java.io.BufferedInputStream; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.File; -import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.net.URI; @@ -40,7 +39,6 @@ import java.util.Map; import java.util.Optional; import java.util.concurrent.ConcurrentHashMap; import javax.net.ssl.SSLContext; - import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseConfiguration; import org.apache.hadoop.hbase.rest.Constants; @@ -113,8 +111,11 @@ public class Client { Constants.DEFAULT_REST_CLIENT_CONN_TIMEOUT); int socketTimeout = this.conf.getInt(Constants.REST_CLIENT_SOCKET_TIMEOUT, Constants.DEFAULT_REST_CLIENT_SOCKET_TIMEOUT); - RequestConfig requestConfig = RequestConfig.custom().setConnectTimeout(connTimeout) - .setSocketTimeout(socketTimeout).build(); + RequestConfig requestConfig = RequestConfig.custom() + .setConnectTimeout(connTimeout) + .setSocketTimeout(socketTimeout) + .setNormalizeUri(false) // URIs should not be normalized, see HBASE-26903 + .build(); httpClientBuilder.setDefaultRequestConfig(requestConfig); // Since HBASE-25267 we don't use the deprecated DefaultHttpClient anymore. diff --git a/pom.xml b/pom.xml index ae0c47099b3..c5c34c0ea1c 100644 --- a/pom.xml +++ b/pom.xml @@ -783,11 +783,7 @@ 3.9 3.6.1 3.4.2 - - 4.5.3 + 4.5.13 4.4.13 3.2.6 2.13.1