[
https://issues.apache.org/jira/browse/SENTRY-2533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16934984#comment-16934984
]
Hadoop QA commented on SENTRY-2533:
-----------------------------------
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12980961/SENTRY-2533.001.patch
against master.
{color:red}Overall:{color} -1 due to an error
{color:red}ERROR:{color} mvn test exited 1
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/4429/console
This message is automatically generated.
> The UDF in_file should be blacked defaultly
> -------------------------------------------
>
> Key: SENTRY-2533
> URL: https://issues.apache.org/jira/browse/SENTRY-2533
> Project: Sentry
> Issue Type: New Feature
> Components: Sentry
> Affects Versions: 2.1.0
> Reporter: Wenchao Li
> Priority: Major
> Labels: security
> Attachments: SENTRY-2533.001.patch
>
>
> HIVE-20420(CVE-2018-11777) introduced a fallback authorizer factory which
> disallowed some builtin UDFs such as java_method, reflect, reflect2 and
> in_file. But Sentry does not black in_file up to now, so a malicious user can
> use in_file in SQL queries to detect some specific files on the HS2 host, or
> to detect whether a specific file has specific content. in_file should be
> added to HIVE_UDF_BLACK_LIST.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
