[
https://issues.apache.org/jira/browse/SENTRY-2533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wenchao Li updated SENTRY-2533:
-------------------------------
Attachment: SENTRY-2533.001.patch
Status: Patch Available (was: Open)
> The UDF in_file should be blacked defaultly
> -------------------------------------------
>
> Key: SENTRY-2533
> URL: https://issues.apache.org/jira/browse/SENTRY-2533
> Project: Sentry
> Issue Type: New Feature
> Components: Sentry
> Affects Versions: 2.1.0
> Reporter: Wenchao Li
> Priority: Major
> Labels: security
> Attachments: SENTRY-2533.001.patch
>
>
> HIVE-20420(CVE-2018-11777) introduced a fallback authorizer factory which
> disallowed some builtin UDFs such as java_method, reflect, reflect2 and
> in_file. But Sentry does not black in_file up to now, so a malicious user can
> use in_file in SQL queries to detect some specific files on the HS2 host, or
> to detect whether a specific file has specific content. in_file should be
> added to HIVE_UDF_BLACK_LIST.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
