You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by ku...@apache.org on 2017/07/17 04:45:37 UTC
zeppelin git commit: [ZEPPELIN-2769] Prevent SQL injection for
GetUserList.getUserList.
Repository: zeppelin
Updated Branches:
refs/heads/master 3a57fc293 -> 709c5a70a
[ZEPPELIN-2769] Prevent SQL injection for GetUserList.getUserList.
### What is this PR for?
Prevent SQL injection for ```GetUserList.getUserList```.
### What type of PR is it?
Improvement
### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2769
Author: Yanbo Liang <yb...@gmail.com>
Closes #2487 from yanboliang/zeppelin-2769 and squashes the following commits:
d1a7ff9b [Yanbo Liang] Prevent SQL injection for GetUserList.getUserList.
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/709c5a70
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/709c5a70
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/709c5a70
Branch: refs/heads/master
Commit: 709c5a70a8f37277c9eea0a1c0c9195b5eb21a74
Parents: 3a57fc2
Author: Yanbo Liang <yb...@gmail.com>
Authored: Wed Jul 12 15:25:05 2017 +0800
Committer: 1ambda <1a...@gmail.com>
Committed: Mon Jul 17 13:45:25 2017 +0900
----------------------------------------------------------------------
.../src/main/java/org/apache/zeppelin/rest/GetUserList.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/709c5a70/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java
index c0270dd..458d5bd 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java
@@ -231,7 +231,7 @@ public class GetUserList {
return userlist;
}
- userquery = "select " + username + " from " + tablename;
+ userquery = "select ? from ?";
} catch (IllegalAccessException e) {
LOG.error("Error while accessing dataSource for JDBC Realm", e);
@@ -241,6 +241,8 @@ public class GetUserList {
try {
Connection con = dataSource.getConnection();
ps = con.prepareStatement(userquery);
+ ps.setString(1, username);
+ ps.setString(2, tablename);
rs = ps.executeQuery();
while (rs.next()) {
userlist.add(rs.getString(1).trim());