spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Reynold Xin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SPARK-10857) SQL injection bug in JdbcDialect.getTableExistsQuery()
Date Wed, 21 Oct 2015 20:31:27 GMT

    [ https://issues.apache.org/jira/browse/SPARK-10857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14967827#comment-14967827
] 

Reynold Xin commented on SPARK-10857:
-------------------------------------

We want to support a query within that. Would this rule that out?


> SQL injection bug in JdbcDialect.getTableExistsQuery()
> ------------------------------------------------------
>
>                 Key: SPARK-10857
>                 URL: https://issues.apache.org/jira/browse/SPARK-10857
>             Project: Spark
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 1.5.0
>            Reporter: Rick Hillegas
>            Priority: Minor
>
> All of the implementations of this method involve constructing a query by concatenating
boilerplate text with a user-supplied name. This looks like a SQL injection bug to me.
> A better solution would be to call java.sql.DatabaseMetaData.getTables() to implement
this method, using the catalog and schema which are available from Connection.getCatalog()
and Connection.getSchema(). This would not work on Java 6 because Connection.getSchema() was
introduced in Java 7. However, the solution would work for more modern JVMs. Limiting the
vulnerability to obsolete JVMs would at least be an improvement over the current situation.
Java 6 has been end-of-lifed and is not an appropriate platform for users who are concerned
about security.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org


Mime
View raw message