HBASE-26903 Bump httpclient from 4.5.3 to 4.5.13 (#4296)

Bump httpclient from 4.5.3 to 4.5.13 to avoid a CVE of medium severity in this dependency. Newer httpclient versions enable a URI normalization algorithm by default that rewrites URIs in a way that breaks some forms of valid REST gateway interactions, so disable it when building the httpclient instance in Client. Signed-off-by: Duo Zhang <zhangduo@apache.org> Signed-off-by: Pankaj Kumar <pankajkumar@apache.org> Conflicts: pom.xml
apache · Mar 30, 2022 · 55bc977 · 55bc977
1 parent 602c7f6
commit 55bc977
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 9 deletions.
diff --git a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java
@@ -23,7 +23,6 @@
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URI;
@@ -40,7 +39,6 @@
 import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
 import javax.net.ssl.SSLContext;
-
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseConfiguration;
 import org.apache.hadoop.hbase.rest.Constants;
@@ -112,8 +110,11 @@ private void initialize(Cluster cluster, Configuration conf, boolean sslEnabled,
       Constants.DEFAULT_REST_CLIENT_CONN_TIMEOUT);
     int socketTimeout = this.conf.getInt(Constants.REST_CLIENT_SOCKET_TIMEOUT,
       Constants.DEFAULT_REST_CLIENT_SOCKET_TIMEOUT);
-    RequestConfig requestConfig = RequestConfig.custom().setConnectTimeout(connTimeout)
-        .setSocketTimeout(socketTimeout).build();
+    RequestConfig requestConfig = RequestConfig.custom()
+      .setConnectTimeout(connTimeout)
+      .setSocketTimeout(socketTimeout)
+      .setNormalizeUri(false) // URIs should not be normalized, see HBASE-26903
+      .build();
     httpClientBuilder.setDefaultRequestConfig(requestConfig);
 
     // Since HBASE-25267 we don't use the deprecated DefaultHttpClient anymore.

diff --git a/pom.xml b/pom.xml
@@ -1467,11 +1467,7 @@
     <commons-lang3.version>3.9</commons-lang3.version>
     <commons-math.version>3.6.1</commons-math.version>
     <disruptor.version>3.4.2</disruptor.version>
-    <!-- Updating the httpclient will break hbase-rest. It writes out URLs with '//' in it
-      especially when writing out 'no column families'. Later httpclients collapse the '//'
-      into single '/' as double-slash is not legal in an URL. Breaks #testDelete in
-      TestRemoteTable. -->
-    <httpclient.version>4.5.3</httpclient.version>
+    <httpclient.version>4.5.13</httpclient.version>
     <httpcore.version>4.4.13</httpcore.version>
     <metrics-core.version>3.2.6</metrics-core.version>
     <jackson.version>2.10.1</jackson.version>