[
https://issues.apache.org/jira/browse/SPARK-15165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15294144#comment-15294144
]
Apache Spark commented on SPARK-15165:
--------------------------------------
User 'sarutak' has created a pull request for this issue:
https://github.com/apache/spark/pull/13230
> Codegen can break because toCommentSafeString is not actually safe
> ------------------------------------------------------------------
>
> Key: SPARK-15165
> URL: https://issues.apache.org/jira/browse/SPARK-15165
> Project: Spark
> Issue Type: Bug
> Components: SQL
> Affects Versions: 1.5.2, 1.6.1, 2.0.0
> Reporter: Kousuke Saruta
> Assignee: Kousuke Saruta
> Priority: Blocker
> Fix For: 2.0.0
>
>
> toCommentSafeString method replaces "\u" with "\ \u" to avoid codegen
> breaking.
> But if the even number of "\" is put before "u", like "\ \u", in the string
> literal in the query, codegen can break.
> Following code causes compilation error.
> {code}
> val df = Seq(...).toDF
> df.select("'\\\\\\\\u002A/'").show
> {code}
> The reason of the compilation error is because "\\\\\\\\u002A/" is translated
> into "*/" (the end of comment).
> Due to this unsafety, arbitrary code can be injected like as follows.
> {code}
> val df = Seq(...).toDF
> // Inject "System.exit(1)"
> df.select("'\\\\\\\\u002A/{System.exit(1);}/*'").show
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
