You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ai...@apache.org on 2018/05/15 17:11:55 UTC
hive git commit: HIVE-19496: Check untar folder (Aihua Xu,
reviewed by Sahil Takiar)
Repository: hive
Updated Branches:
refs/heads/master ff446b779 -> 6e6b0cb7b
HIVE-19496: Check untar folder (Aihua Xu, reviewed by Sahil Takiar)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/6e6b0cb7
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/6e6b0cb7
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/6e6b0cb7
Branch: refs/heads/master
Commit: 6e6b0cb7b1950e6b0e4a19b0f9e2d185031dd83f
Parents: ff446b7
Author: Aihua Xu <ai...@apache.org>
Authored: Thu May 10 14:51:57 2018 -0700
Committer: Aihua Xu <ai...@apache.org>
Committed: Tue May 15 10:11:19 2018 -0700
----------------------------------------------------------------------
.../src/java/org/apache/hadoop/hive/common/CompressionUtils.java | 4 ++++
1 file changed, 4 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/6e6b0cb7/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java
----------------------------------------------------------------------
diff --git a/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java b/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java
index 681c506..d98632e 100644
--- a/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java
+++ b/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java
@@ -159,6 +159,10 @@ public class CompressionUtils {
TarArchiveEntry entry = null;
while ((entry = (TarArchiveEntry) debInputStream.getNextEntry()) != null) {
final File outputFile = new File(outputDir, entry.getName());
+ if (!outputFile.toPath().toAbsolutePath().normalize()
+ .startsWith(outputDir.toPath().toAbsolutePath().normalize())) {
+ throw new IOException("Untarred file is not under the output directory");
+ }
if (entry.isDirectory()) {
if (flatten) {
// no sub-directories