[ 
https://issues.apache.org/jira/browse/AIRFLOW-231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15329370#comment-15329370
 ] 

ASF subversion and git services commented on AIRFLOW-231:
---------------------------------------------------------

Commit 7d29698b639d9e2060465aa778efb842986df706 in incubator-airflow's branch 
refs/heads/master from [~maxime.beauche...@apache.org]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=7d29698 ]

[AIRFLOW-231] Do not eval user input in PrestoHook

Running `eval` represent a security threat as the interpreter can be
hijacked by the service returning the string getting "evaled", in this
case Presto. It turns out the code I'm changing here was written a long
time ago and misguided, casting a python object to a string and then
evaling it as a useless round trip.

Closes #1584 from mistercrunch/security


> Remove security issue around `eval` statement in PrestoHook
> -----------------------------------------------------------
>
>                 Key: AIRFLOW-231
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-231
>             Project: Apache Airflow
>          Issue Type: Improvement
>            Reporter: Maxime Beauchemin
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to