You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Kalyan Kalvagadda (Jira)" <ji...@apache.org> on 2019/10/03 23:02:00 UTC
[jira] [Commented] (SENTRY-2533) The UDF in_file should be blacked
default
[ https://issues.apache.org/jira/browse/SENTRY-2533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16944101#comment-16944101 ]
Kalyan Kalvagadda commented on SENTRY-2533:
-------------------------------------------
@Wenchao I have assigned the Jira to you as you are already working on it.
> The UDF in_file should be blacked default
> -----------------------------------------
>
> Key: SENTRY-2533
> URL: https://issues.apache.org/jira/browse/SENTRY-2533
> Project: Sentry
> Issue Type: New Feature
> Components: Sentry
> Affects Versions: 2.1.0
> Reporter: Wenchao Li
> Assignee: Wenchao Li
> Priority: Major
> Labels: security
> Attachments: SENTRY-2533.001.patch, SENTRY-2533.001.patch, SENTRY-2533.001.patch, SENTRY-2533.001.patch
>
>
> HIVE-20420(CVE-2018-11777) introduced a fallback authorizer factory which disallowed some builtin UDFs such as java_method, reflect, reflect2 and in_file. But Sentry does not black in_file up to now, so a malicious user can use in_file in SQL queries to detect some specific files on the HS2 host, or to detect whether a specific file has specific content. in_file should be added to HIVE_UDF_BLACK_LIST.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)