You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Hyukjin Kwon (JIRA)" <ji...@apache.org> on 2019/05/21 04:25:21 UTC

[jira] [Updated] (SPARK-10857) SQL injection bug in JdbcDialect.getTableExistsQuery()

     [ https://issues.apache.org/jira/browse/SPARK-10857?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Hyukjin Kwon updated SPARK-10857:
---------------------------------
    Labels: bulk-closed  (was: )

> SQL injection bug in JdbcDialect.getTableExistsQuery()
> ------------------------------------------------------
>
>                 Key: SPARK-10857
>                 URL: https://issues.apache.org/jira/browse/SPARK-10857
>             Project: Spark
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 1.5.0
>            Reporter: Rick Hillegas
>            Priority: Minor
>              Labels: bulk-closed
>
> All of the implementations of this method involve constructing a query by concatenating boilerplate text with a user-supplied name. This looks like a SQL injection bug to me.
> A better solution would be to call java.sql.DatabaseMetaData.getTables() to implement this method, using the catalog and schema which are available from Connection.getCatalog() and Connection.getSchema(). This would not work on Java 6 because Connection.getSchema() was introduced in Java 7. However, the solution would work for more modern JVMs. Limiting the vulnerability to obsolete JVMs would at least be an improvement over the current situation. Java 6 has been end-of-lifed and is not an appropriate platform for users who are concerned about security.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org