[
https://issues.apache.org/jira/browse/HIVE-20607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16622504#comment-16622504
]
Sergey Shelukhin commented on HIVE-20607:
-----------------------------------------
[~ekoifman] SQL injection via APIs.
[~sankarh] is it the same issue I was sending to security@, or a different one?
I filed a JIRA before but then deleted it, without a patch it's better to not
have one just hanging around :)
> TxnHandler should use PreparedStatement to execute direct SQL queries.
> ----------------------------------------------------------------------
>
> Key: HIVE-20607
> URL: https://issues.apache.org/jira/browse/HIVE-20607
> Project: Hive
> Issue Type: Bug
> Components: Standalone Metastore, Transactions
> Affects Versions: 4.0.0
> Reporter: Sankar Hariappan
> Assignee: Sankar Hariappan
> Priority: Major
> Labels: ACID
> Fix For: 4.0.0
>
>
> TxnHandler uses direct SQL queries to operate on Txn related databases/tables
> in Hive metastore RDBMS.
> Most of the methods are direct calls from Metastore api which should be
> directly append input string arguments to the SQL string.
> Need to use parameterised PreparedStatement object to set these arguments.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
