GitHub user gatorsmile opened a pull request:
https://github.com/apache/spark/pull/21549
[SPARK-24542] [SQL] UDF series UDFXPathXXXX allow users to pass carefully
crafted XML to access arbitrary files
## What changes were proposed in this pull request?
UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access
arbitrary files. Spark does not have built-in access control. When users use
the external access control library, users might bypass them and access the
file contents.
This PR basically patches the Hive fix to Apache Spark.
https://issues.apache.org/jira/browse/HIVE-18879
## How was this patch tested?
A unit test case
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/gatorsmile/spark xpathSecurity
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/spark/pull/21549.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #21549
----
commit 07f71d3c3ab553ff763e6a0015d08abe9855e682
Author: Xiao Li <gatorsmile@...>
Date: 2018-06-13T06:32:08Z
fix
----
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org
