You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hive.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2022/06/16 09:43:00 UTC

[jira] [Comment Edited] (HIVE-20607) TxnHandler should use PreparedStatement to execute direct SQL queries.

    [ https://issues.apache.org/jira/browse/HIVE-20607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17554433#comment-17554433 ] 

Colm O hEigeartaigh edited comment on HIVE-20607 at 6/16/22 9:42 AM:
---------------------------------------------------------------------

Would it be possible to backport this fix to branch-3.1 as well? 

I don't see any evidence of it in the commit log for [https://github.com/apache/hive/commits/branch-3.1/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/txn/TxnHandler.java]

Maybe the fix could be backported in https://issues.apache.org/jira/browse/HIVE-22073, as security scanners are showing a vulnerability in Hive 3.1.2 due to this issue.


was (Author: coheigea):
Was this fix ever backported to branch-3? I don't see any evidence of it in the commit log for [https://github.com/apache/hive/commits/branch-3.1/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/txn/TxnHandler.java]

Therefore I think the fix-version of 3.2.0 on this ticket is incorrect. See: https://issues.apache.org/jira/browse/HIVE-22073

Maybe the fix could be backported in https://issues.apache.org/jira/browse/HIVE-22073, as security scanners are showing a vulnerability in Hive 3.2.1 due to this issue.

> TxnHandler should use PreparedStatement to execute direct SQL queries.
> ----------------------------------------------------------------------
>
>                 Key: HIVE-20607
>                 URL: https://issues.apache.org/jira/browse/HIVE-20607
>             Project: Hive
>          Issue Type: Bug
>          Components: Standalone Metastore, Transactions
>    Affects Versions: 3.1.0, 4.0.0
>            Reporter: Sankar Hariappan
>            Assignee: Sankar Hariappan
>            Priority: Major
>              Labels: ACID, pull-request-available
>             Fix For: 3.2.0, 4.0.0, 4.0.0-alpha-1
>
>         Attachments: HIVE-20607.01-branch-3.patch, HIVE-20607.01.patch
>
>
> TxnHandler uses direct SQL queries to operate on Txn related databases/tables in Hive metastore RDBMS.
> Most of the methods are direct calls from Metastore api which should be directly append input string arguments to the SQL string.
> Need to use parameterised PreparedStatement object to set these arguments.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)