[GitHub] spark pull request #21549: [SPARK-24542] [SQL] UDF series UDFXPathXXXX allow...
Github user asfgit closed the pull request at: https://github.com/apache/spark/pull/21549 --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #21549: [SPARK-24542] [SQL] UDF series UDFXPathXXXX allow...
Github user gatorsmile commented on a diff in the pull request:
https://github.com/apache/spark/pull/21549#discussion_r195153892
--- Diff:
sql/catalyst/src/test/scala/org/apache/spark/sql/catalyst/expressions/xml/UDFXPathUtilSuite.scala
---
@@ -77,6 +77,23 @@ class UDFXPathUtilSuite extends SparkFunSuite {
assert(ret == "foo")
}
+ test("embedFailure") {
+import org.apache.commons.io.FileUtils
+import java.io.File
+val secretValue = String.valueOf(Math.random)
+val tempFile = File.createTempFile("verifyembed", ".tmp")
+tempFile.deleteOnExit()
+val fname = tempFile.getAbsolutePath
+
+FileUtils.writeStringToFile(tempFile, secretValue)
+
+val xml =
+ "\n" + " \n" + "]>\n" +
"&embed;"
--- End diff --
xml has a unique syntax. A little bit hard to make it work sometimes.
---
-
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #21549: [SPARK-24542] [SQL] UDF series UDFXPathXXXX allow...
Github user cloud-fan commented on a diff in the pull request:
https://github.com/apache/spark/pull/21549#discussion_r195118451
--- Diff:
sql/catalyst/src/test/scala/org/apache/spark/sql/catalyst/expressions/xml/UDFXPathUtilSuite.scala
---
@@ -77,6 +77,23 @@ class UDFXPathUtilSuite extends SparkFunSuite {
assert(ret == "foo")
}
+ test("embedFailure") {
+import org.apache.commons.io.FileUtils
+import java.io.File
+val secretValue = String.valueOf(Math.random)
+val tempFile = File.createTempFile("verifyembed", ".tmp")
+tempFile.deleteOnExit()
+val fname = tempFile.getAbsolutePath
+
+FileUtils.writeStringToFile(tempFile, secretValue)
+
+val xml =
+ "\n" + " \n" + "]>\n" +
"&embed;"
--- End diff --
can we use multiline string to make it easier to read?
---
-
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #21549: [SPARK-24542] [SQL] UDF series UDFXPathXXXX allow...
GitHub user gatorsmile opened a pull request: https://github.com/apache/spark/pull/21549 [SPARK-24542] [SQL] UDF series UDFXPath allow users to pass carefully crafted XML to access arbitrary files ## What changes were proposed in this pull request? UDF series UDFXPath allow users to pass carefully crafted XML to access arbitrary files. Spark does not have built-in access control. When users use the external access control library, users might bypass them and access the file contents. This PR basically patches the Hive fix to Apache Spark. https://issues.apache.org/jira/browse/HIVE-18879 ## How was this patch tested? A unit test case You can merge this pull request into a Git repository by running: $ git pull https://github.com/gatorsmile/spark xpathSecurity Alternatively you can review and apply these changes as the patch at: https://github.com/apache/spark/pull/21549.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #21549 commit 07f71d3c3ab553ff763e6a0015d08abe9855e682 Author: Xiao Li Date: 2018-06-13T06:32:08Z fix --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
