diff --git a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Server.java b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Server.java index 77c8610..b283ee9 100644 --- a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Server.java +++ b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Server.java @@ -363,7 +363,7 @@ public Response descOneTableProperty(@PathParam("db") String db, verifyUser(); verifyDdlParam(db, ":db"); verifyDdlParam(table, ":table"); - verifyDdlParam(property, ":property"); + verifyPropertyParam(property, ":property"); HcatDelegator d = new HcatDelegator(appConf, execService); return d.descTableProperty(getDoAsUser(), db, table, property); @@ -402,7 +402,7 @@ public Response addOneTableProperty(@PathParam("db") String db, verifyUser(); verifyDdlParam(db, ":db"); verifyDdlParam(table, ":table"); - verifyDdlParam(property, ":property"); + verifyPropertyParam(property, ":property"); desc.name = property; HcatDelegator d = new HcatDelegator(appConf, execService); @@ -1119,6 +1119,7 @@ public void verifyParam(List param, String name) } public static final Pattern DDL_ID = Pattern.compile("[a-zA-Z]\\w*"); + public static final Pattern PROPERTY_ID = Pattern.compile("[a-zA-Z0-9][\\w\\.\\-]*"); /** * Verify that the parameter exists and is a simple DDL identifier @@ -1134,6 +1135,21 @@ public void verifyDdlParam(String param, String name) throw new BadParam("Invalid DDL identifier " + name); } } + + /** + * Verify that the parameter exists and is a valid property + * name. Throw an exception if invalid. + * + */ + public void verifyPropertyParam(String param, String name) + throws BadParam { + verifyParam(param, name); + Matcher m = PROPERTY_ID.matcher(param); + if (!m.matches()) { + throw new BadParam("Invalid property name " + name); + } + } + /** * Get the user name from the security context, i.e. the user making the HTTP request. * With simple/pseudo security mode this should return the