Wenchao Li created SENTRY-2533:
----------------------------------
Summary: The UDF in_file should be blacked defaultly
Key: SENTRY-2533
URL: https://issues.apache.org/jira/browse/SENTRY-2533
Project: Sentry
Issue Type: New Feature
Components: Sentry
Affects Versions: 2.1.0
Reporter: Wenchao Li
HIVE-20420(CVE-2018-11777) introduced a fallback authorizer factory which
disallowed some builtin UDFS such as java_method, reflect, reflect2 and
in_file. But Sentry does not black in_file up to now, so a malicious user can
use in_file in SQL queries to detect some specific files on the HS2 host, or to
detect whether a specific file has specific content. in_file should be added to
HIVE_UDF_BLACK_LIST.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
