[SPARK-24542] [SQL] UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files #21549
Conversation
|
Test build #91749 has finished for PR 21549 at commit
|
|
|
||
| val xml = | ||
| "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" + "<!DOCTYPE test [ \n" + | ||
| " <!ENTITY embed SYSTEM \"" + fname + "\"> \n" + "]>\n" + "<foo>&embed;</foo>" |
There was a problem hiding this comment.
can we use multiline string to make it easier to read?
There was a problem hiding this comment.
xml has a unique syntax. A little bit hard to make it work sometimes.
|
Test build #91784 has finished for PR 21549 at commit
|
|
retest this please |
|
Test build #91786 has finished for PR 21549 at commit
|
|
retest this please |
|
Test build #91787 has finished for PR 21549 at commit
|
|
retest this please |
|
Test build #91943 has finished for PR 21549 at commit
|
|
retest this please |
|
Test build #91948 has finished for PR 21549 at commit
|
|
retest this please |
|
Test build #91952 has finished for PR 21549 at commit
|
|
retest this please |
|
Test build #91960 has finished for PR 21549 at commit
|
|
@HyukjinKwon is it possible that the constant build failure is caused by the java style checker? Other PRs that don't touch java files are fine. |
|
@cloud-fan, I will take a look tonight (singapore timezone). Please feel free to disable it for now to unblock other PRs if you think so. From a very quick look (it's mobile), I think it needs some time. |
|
you can commwnt this line https://github.com/HyukjinKwon/spark/blob/master/dev/run-tests.py#L577 and add |
|
If you think it's not super urgent, please give me few days. I have some speculations about it. Will test it and try a fix tomorrow as soon as we can access to Jenkins results. |
|
retest this please |
|
Test build #92021 has finished for PR 21549 at commit
|
|
Test build #92033 has finished for PR 21549 at commit
|
|
retest this please |
|
Test build #92042 has finished for PR 21549 at commit
|
|
retest this please |
|
Test build #92053 has finished for PR 21549 at commit
|
|
thanks, merging to master/2.3! |
…lly crafted XML to access arbitrary files ## What changes were proposed in this pull request? UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files. Spark does not have built-in access control. When users use the external access control library, users might bypass them and access the file contents. This PR basically patches the Hive fix to Apache Spark. https://issues.apache.org/jira/browse/HIVE-18879 ## How was this patch tested? A unit test case Author: Xiao Li <gatorsmile@gmail.com> Closes #21549 from gatorsmile/xpathSecurity. (cherry picked from commit 9a75c18) Signed-off-by: Wenchen Fan <wenchen@databricks.com>
…lly crafted XML to access arbitrary files UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files. Spark does not have built-in access control. When users use the external access control library, users might bypass them and access the file contents. This PR basically patches the Hive fix to Apache Spark. https://issues.apache.org/jira/browse/HIVE-18879 A unit test case Author: Xiao Li <gatorsmile@gmail.com> Closes apache#21549 from gatorsmile/xpathSecurity. (cherry picked from commit 9a75c18) RB=1807957 BUG=APA-6723 G=superfriends-reviewers R=mshen,latang,fli,zolin,yezhou A=chsingh
What changes were proposed in this pull request?
UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files. Spark does not have built-in access control. When users use the external access control library, users might bypass them and access the file contents.
This PR basically patches the Hive fix to Apache Spark. https://issues.apache.org/jira/browse/HIVE-18879
How was this patch tested?
A unit test case