spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Apache Spark (JIRA)" <>
Subject [jira] [Assigned] (SPARK-10857) SQL injection bug in JdbcDialect.getTableExistsQuery()
Date Wed, 21 Oct 2015 19:11:27 GMT


Apache Spark reassigned SPARK-10857:

    Assignee: Apache Spark

> SQL injection bug in JdbcDialect.getTableExistsQuery()
> ------------------------------------------------------
>                 Key: SPARK-10857
>                 URL:
>             Project: Spark
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 1.5.0
>            Reporter: Rick Hillegas
>            Assignee: Apache Spark
>            Priority: Minor
> All of the implementations of this method involve constructing a query by concatenating
boilerplate text with a user-supplied name. This looks like a SQL injection bug to me.
> A better solution would be to call java.sql.DatabaseMetaData.getTables() to implement
this method, using the catalog and schema which are available from Connection.getCatalog()
and Connection.getSchema(). This would not work on Java 6 because Connection.getSchema() was
introduced in Java 7. However, the solution would work for more modern JVMs. Limiting the
vulnerability to obsolete JVMs would at least be an improvement over the current situation.
Java 6 has been end-of-lifed and is not an appropriate platform for users who are concerned
about security.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message