[jira] [Commented] (SPARK-10857) SQL injection bug in JdbcDialect.getTableExistsQuery()

Wed, 30 Sep 2015 10:15:18 -0700 

    [ 
https://issues.apache.org/jira/browse/SPARK-10857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14937732#comment-14937732
 ] 

Suresh Thalamati commented on SPARK-10857:
------------------------------------------

One issue I ran into with getSchema() call was even if  Spark uses Java7  and 
above the JDBC driver versions  customers using may not have support for 
getSchema. 

I tried on couple of  databases I had , and got error one getSchema().   It is 
possible I have  old drivers. 
postgresql-9.3-1101-jdbc4.jar
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.75.x86_64/bin/java -
Exception in thread "main" java.sql.SQLFeatureNotSupportedException: Method 
org.postgresql.jdbc4.Jdbc4Connection.getSchema() is not yet implemented.
        at org.postgresql.Driver.notImplemented(Driver.java:729)
        at 
org.postgresql.jdbc4.AbstractJdbc4Connection.getSchema(AbstractJdbc4Connection.java:239)

My SQL :
Implementation-Version: 5.1.17-SNAPSHOT
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.75.x86_64/
Exception in thread "main" java.sql.SQLFeatureNotSupportedException: Not 
supported
        at com.mysql.jdbc.JDBC4Connection.getSchema(JDBC4Connection.java:253)
...

        

> SQL injection bug in JdbcDialect.getTableExistsQuery()
> ------------------------------------------------------
>
>                 Key: SPARK-10857
>                 URL: https://issues.apache.org/jira/browse/SPARK-10857
>             Project: Spark
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 1.5.0
>            Reporter: Rick Hillegas
>            Priority: Minor
>
> All of the implementations of this method involve constructing a query by 
> concatenating boilerplate text with a user-supplied name. This looks like a 
> SQL injection bug to me.
> A better solution would be to call java.sql.DatabaseMetaData.getTables() to 
> implement this method, using the catalog and schema which are available from 
> Connection.getCatalog() and Connection.getSchema(). This would not work on 
> Java 6 because Connection.getSchema() was introduced in Java 7. However, the 
> solution would work for more modern JVMs. Limiting the vulnerability to 
> obsolete JVMs would at least be an improvement over the current situation. 
> Java 6 has been end-of-lifed and is not an appropriate platform for users who 
> are concerned about security.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to