[ https://issues.apache.org/jira/browse/PHOENIX-4189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16167167#comment-16167167 ]
Hudson commented on PHOENIX-4189: --------------------------------- FAILURE: Integrated in Jenkins build Phoenix-master #1799 (See [https://builds.apache.org/job/Phoenix-master/1799/]) PHOENIX-4189 Introduce a class that wraps the Map of primary key data (elserj: rev 052490e09f2271eaa84dc9ab123a62a87123a498) * (edit) phoenix-hive/src/main/java/org/apache/phoenix/hive/util/PhoenixStorageHandlerUtil.java * (add) phoenix-hive/src/main/java/org/apache/phoenix/hive/PrimaryKeyData.java * (edit) phoenix-hive/src/main/java/org/apache/phoenix/hive/PhoenixRowKey.java * (add) phoenix-hive/src/test/java/org/apache/phoenix/hive/PrimaryKeyDataTest.java > Avoid direct use of ObjectInputStream in Hive integration > --------------------------------------------------------- > > Key: PHOENIX-4189 > URL: https://issues.apache.org/jira/browse/PHOENIX-4189 > Project: Phoenix > Issue Type: Bug > Reporter: Josh Elser > Assignee: Josh Elser > Fix For: 4.12.0 > > Attachments: PHOENIX-4189.001.patch > > > Another security scan ding, but not a very big concern. > We use ObjectInputStream to serialize/deserialize a Map which contains the > columns+values of the primary key constraint. The problem with > ObjectInputStream is that it doesn't care what Class it deserializes. If a > malicious user can someone coerce some unknowing user to use an InputSplit > that has this specially crafted class, we can get into an arbitrary code > execution. > https://www.ibm.com/developerworks/library/se-lookahead/ outlines a way to > work around this issue in code, but it leaves a bit to be desired. The > ObjectInputStream recursively calls itself as it deserializes the fields in > the Object. By trusting some classes from the packages java.lang, java.util, > and java.sql, I believe we can remove this minor concern. -- This message was sent by Atlassian JIRA (v6.4.14#64029)