Rick Hillegas created SPARK-10857:
-------------------------------------
Summary: SQL injection bug in JdbcDialect.getTableExistsQuery()
Key: SPARK-10857
URL: https://issues.apache.org/jira/browse/SPARK-10857
Project: Spark
Issue Type: Bug
Components: SQL
Affects Versions: 1.5.0
Reporter: Rick Hillegas
Priority: Minor
All of the implementations of this method involve constructing a query by
concatenating boilerplate text with a user-supplied name. This looks like a SQL
injection bug to me.
A better solution would be to call java.sql.DatabaseMetaData.getTables() to
implement this method, using the catalog and schema which are available from
Connection.getCatalog() and Connection.getSchema(). This would not work on Java
6 because Connection.getSchema() was introduced in Java 7. However, the
solution would work for more modern JVMs. Limiting the vulnerability to
obsolete JVMs would at least be an improvement over the current situation. Java
6 has been end-of-lifed and is not an appropriate platform for users who are
concerned about security.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
