Issue Details (XML | Word | Printable)

Key: DERBY-2131
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: A B
Reporter: A B
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Derby

External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs.

Created: 29/Nov/06 11:08 PM   Updated: 11/Dec/06 05:01 PM
Return to search
Component/s: SQL
Affects Version/s: 10.2.1.6, 10.2.2.0, 10.3.1.4
Fix Version/s: 10.2.2.0, 10.3.1.4

Time Tracking:
Not Specified

File Attachments:
  File Name Date Attached Attached By Size
Text File Licensed for inclusion in ASF works d2131_10_2.patch 2006-12-05 05:07 PM A B 2 kB
Text File Licensed for inclusion in ASF works d2131_rewrite_v1.patch 2006-12-01 05:57 PM A B 3 kB
Text File Licensed for inclusion in ASF works d2131_rewrite_v2.patch 2006-12-01 07:01 PM A B 3 kB
Text File Licensed for inclusion in ASF works d2131_v1.patch 2006-11-29 11:10 PM A B 2 kB
Issue Links:
Blocker
 

Resolution Date: 06/Dec/06 12:18 AM


 Description  « Hide
The Derby XMLPARSE operator ultimately makes a call to an external JAXP parser (ex. Xerces or Crimson) to parse an XML value. If the XML value that is being parsed references an external DTD, then the JAXP parser will need to read the DTD file to complete parsing. However, the current code in SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP parser. As a result, when a user who is running with a security manager tries to insert a document that references an external DTD, the call to XMLPARSE will fail with a security exception--even if the JAXP parser has the required "read" permissions.

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Repository Revision Date User Message
ASF #481117 Fri Dec 01 00:19:26 UTC 2006 abrown DERBY-2131: Use a privileged block when calling out to the JAXP parser
so that users running with a security manager can insert XML values
that reference external DTDs without encountering security exceptions.

This patch does not include any tests; however, relevant test cases
will be enabled as part of DERBY-1758.
Files Changed
MODIFY /db/derby/code/trunk/java/engine/org/apache/derby/iapi/types/SqlXmlUtil.java

Repository Revision Date User Message
ASF #482303 Mon Dec 04 19:27:08 UTC 2006 abrown DERBY-2131 (partial): Change privileged block in SqlXmlUtil.serializeToString()
so that it contains as little code as possible. Also adds a catch block
around the privileged block to unwrap security exceptions.
Files Changed
MODIFY /db/derby/code/trunk/java/engine/org/apache/derby/iapi/types/SqlXmlUtil.java

Repository Revision Date User Message
ASF #482837 Wed Dec 06 00:14:23 UTC 2006 abrown DERBY-2131: Porting changes from trunk to 10.2.

Use a privileged block when calling out to the JAXP parser so that
users running with a security manager can insert XML values that
reference external DTDs without encountering security exceptions.

svn merge -r 481116:481117 https://svn.apache.org/repos/asf/db/derby/code/trunk
svn merge -r 482302:482303 https://svn.apache.org/repos/asf/db/derby/code/trunk
Files Changed
MODIFY /db/derby/code/branches/10.2/java/engine/org/apache/derby/iapi/types/SqlXmlUtil.java

Repository Revision Date User Message
ASF #483521 Thu Dec 07 16:22:54 UTC 2006 rhillegas DERBY-2129: Add a couple more bug fixes to the release notes. These were ported to the 10.2 branch in the last week: DERBY-1231, DERBY-2131, DERBY-1204.
Files Changed
MODIFY /db/derby/code/branches/10.2/RELEASE-NOTES.html


Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators