You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@spark.apache.org by "srowen (via GitHub)" <gi...@apache.org> on 2023/10/17 13:37:34 UTC

[PR] [MINOR][SQL] Remove signature from Hive thriftserver exception [spark]

srowen opened a new pull request, #43402:
URL: https://github.com/apache/spark/pull/43402

   ### What changes were proposed in this pull request?
   
   Don't return expected signature to caller in Hive thriftserver exception 
   
   ### Why are the changes needed?
   
   Please see private@ discussion
   
   ### Does this PR introduce _any_ user-facing change?
   
   No
   
   ### How was this patch tested?
   
   Existing tests
   
   
   ### Was this patch authored or co-authored using generative AI tooling?
   
   No


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [MINOR][SQL] Remove signature from Hive thriftserver exception [spark]

Posted by "dongjoon-hyun (via GitHub)" <gi...@apache.org>.

dongjoon-hyun commented on PR #43402:
URL: https://github.com/apache/spark/pull/43402#issuecomment-1767334927

   Merged to master/3.5/3.4/3.3.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [MINOR][SQL] Remove signature from Hive thriftserver exception [spark]

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen commented on code in PR #43402:
URL: https://github.com/apache/spark/pull/43402#discussion_r1363054822


##########
sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java:
##########
@@ -81,8 +81,7 @@ public String verifyAndExtract(String signedStr) {
       LOG.debug("Signature generated for " + rawValue + " inside verify is " + currentSignature);
     }
     if (!MessageDigest.isEqual(originalSignature.getBytes(), currentSignature.getBytes())) {
-      throw new IllegalArgumentException("Invalid sign, original = " + originalSignature +
-        " current = " + currentSignature);
+      throw new IllegalArgumentException("Invalid sign");

Review Comment:
   I went for minimal change here. This is copied from Hive and meant to be a stopgap until Hive addresses an ongoing discussion about a potential security issue here



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [MINOR][SQL] Remove signature from Hive thriftserver exception [spark]

Posted by "dongjoon-hyun (via GitHub)" <gi...@apache.org>.

dongjoon-hyun closed pull request #43402: [MINOR][SQL] Remove signature from Hive thriftserver exception
URL: https://github.com/apache/spark/pull/43402


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [MINOR][SQL] Remove signature from Hive thriftserver exception [spark]

Posted by "beliefer (via GitHub)" <gi...@apache.org>.

beliefer commented on code in PR #43402:
URL: https://github.com/apache/spark/pull/43402#discussion_r1363053716


##########
sql/hive-thriftserver/src/main/java/org/apache/hive/service/CookieSigner.java:
##########
@@ -81,8 +81,7 @@ public String verifyAndExtract(String signedStr) {
       LOG.debug("Signature generated for " + rawValue + " inside verify is " + currentSignature);
     }
     if (!MessageDigest.isEqual(originalSignature.getBytes(), currentSignature.getBytes())) {
-      throw new IllegalArgumentException("Invalid sign, original = " + originalSignature +
-        " current = " + currentSignature);
+      throw new IllegalArgumentException("Invalid sign");

Review Comment:
   Could we add` incorrect signature`? `Invalid sign` makes confusion.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [MINOR][SQL] Remove signature from Hive thriftserver exception [spark]

Posted by "LuciferYang (via GitHub)" <gi...@apache.org>.

LuciferYang commented on PR #43402:
URL: https://github.com/apache/spark/pull/43402#issuecomment-1767673785

   late LGTM, hahaha, this is a very old security issue.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org