[
https://issues.apache.org/jira/browse/SPARK-42854?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
PJ Fanning updated SPARK-42854:
-------------------------------
Description:
I'm not advocating for an upgrade to [Jackson
2.15|https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.15].
2.15.0-rc1 has just been released and 2.15.0 should be out soon.
There are some security focused enhancements including a new class called
StreamReadConstraints. The defaults on
[StreamReadConstraints|https://javadoc.io/static/com.fasterxml.jackson.core/jackson-core/2.15.0-rc1/com/fasterxml/jackson/core/StreamReadConstraints.html]
are pretty high but it is not inconceivable that some Spark users might need
to relax them. Parsing large strings as numbers is sub-quadratic, thus the
default limit of 1000 chars or bytes (depending on input context).
When the Spark team consider upgrading to Jackson 2.15 or above, you might also
want to consider adding some way for users to configure the
StreamReadConstraints.
was:
I'm not advocating for an upgrade to Jackson 2.15. 2.15.0-rc1 has just been
released and 2.15.0 should be out soon.
There are some security focused enhancements including a new class called
StreamReadConstraints. The defaults on
[StreamReadConstraints|https://javadoc.io/static/com.fasterxml.jackson.core/jackson-core/2.15.0-rc1/com/fasterxml/jackson/core/StreamReadConstraints.html]
are pretty high but it is not inconceivable that some Spark users might need
to relax them. Parsing large strings as numbers is sub-quadratic, thus the
default limit of 1000 chars or bytes (depending on input context).
When the Spark team consider upgrading to Jackson 2.15 or above, you might also
want to consider adding some way for users to configure the
StreamReadConstraints.
> Jackson 2.15
> ------------
>
> Key: SPARK-42854
> URL: https://issues.apache.org/jira/browse/SPARK-42854
> Project: Spark
> Issue Type: Improvement
> Components: Input/Output
> Affects Versions: 3.4.1
> Reporter: PJ Fanning
> Priority: Major
>
> I'm not advocating for an upgrade to [Jackson
> 2.15|https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.15].
> 2.15.0-rc1 has just been released and 2.15.0 should be out soon.
> There are some security focused enhancements including a new class called
> StreamReadConstraints. The defaults on
> [StreamReadConstraints|https://javadoc.io/static/com.fasterxml.jackson.core/jackson-core/2.15.0-rc1/com/fasterxml/jackson/core/StreamReadConstraints.html]
> are pretty high but it is not inconceivable that some Spark users might need
> to relax them. Parsing large strings as numbers is sub-quadratic, thus the
> default limit of 1000 chars or bytes (depending on input context).
> When the Spark team consider upgrading to Jackson 2.15 or above, you might
> also want to consider adding some way for users to configure the
> StreamReadConstraints.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
