spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <>
Subject [jira] [Commented] (SPARK-10857) SQL injection bug in JdbcDialect.getTableExistsQuery()
Date Fri, 09 Oct 2015 15:20:26 GMT


Rick Hillegas commented on SPARK-10857:

The discussion on SPARK-10977 suggests another solution:

4) Use some Derby code to parse the user-supplied table name into a [schema.]objectName pair
and then double-quote and escape the identifiers to that they are legal delimited identifiers.


> SQL injection bug in JdbcDialect.getTableExistsQuery()
> ------------------------------------------------------
>                 Key: SPARK-10857
>                 URL:
>             Project: Spark
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 1.5.0
>            Reporter: Rick Hillegas
>            Priority: Minor
> All of the implementations of this method involve constructing a query by concatenating
boilerplate text with a user-supplied name. This looks like a SQL injection bug to me.
> A better solution would be to call java.sql.DatabaseMetaData.getTables() to implement
this method, using the catalog and schema which are available from Connection.getCatalog()
and Connection.getSchema(). This would not work on Java 6 because Connection.getSchema() was
introduced in Java 7. However, the solution would work for more modern JVMs. Limiting the
vulnerability to obsolete JVMs would at least be an improvement over the current situation.
Java 6 has been end-of-lifed and is not an appropriate platform for users who are concerned
about security.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message