Issue Details (XML | Word | Printable)

Key: DERBY-2131
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: A B
Reporter: A B
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Derby

External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs.

Created: 29/Nov/06 11:08 PM   Updated: 11/Dec/06 05:01 PM
Return to search
Component/s: SQL
Affects Version/s: 10.2.1.6, 10.2.2.0, 10.3.1.4
Fix Version/s: 10.2.2.0, 10.3.1.4

Time Tracking:
Not Specified

File Attachments:
  File Name Date Attached Attached By Size
Text File Licensed for inclusion in ASF works d2131_10_2.patch 2006-12-05 05:07 PM A B 2 kB
Text File Licensed for inclusion in ASF works d2131_rewrite_v1.patch 2006-12-01 05:57 PM A B 3 kB
Text File Licensed for inclusion in ASF works d2131_rewrite_v2.patch 2006-12-01 07:01 PM A B 3 kB
Text File Licensed for inclusion in ASF works d2131_v1.patch 2006-11-29 11:10 PM A B 2 kB
Issue Links:
Blocker
 

Resolution Date: 06/Dec/06 12:18 AM


 Description  « Hide
The Derby XMLPARSE operator ultimately makes a call to an external JAXP parser (ex. Xerces or Crimson) to parse an XML value. If the XML value that is being parsed references an external DTD, then the JAXP parser will need to read the DTD file to complete parsing. However, the current code in SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP parser. As a result, when a user who is running with a security manager tries to insert a document that references an external DTD, the call to XMLPARSE will fail with a security exception--even if the JAXP parser has the required "read" permissions.

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
A B made changes - 29/Nov/06 11:10 PM
Field Original Value New Value
Attachment d2131_v1.patch [ 12346071 ]
A B made changes - 29/Nov/06 11:16 PM
Derby Info [Patch Available]
A B made changes - 30/Nov/06 12:01 AM
Link This issue blocks DERBY-1758 [ DERBY-1758 ]
A B made changes - 01/Dec/06 12:22 AM
Status Open [ 1 ] Resolved [ 5 ]
Derby Info [Patch Available]
Resolution Fixed [ 1 ]
A B made changes - 01/Dec/06 12:23 AM
Resolution Fixed [ 1 ]
Status Resolved [ 5 ] Reopened [ 4 ]
A B made changes - 01/Dec/06 12:23 AM
Resolution Fixed [ 1 ]
Fix Version/s 10.3.0.0 [ 12310800 ]
Status Reopened [ 4 ] Resolved [ 5 ]
A B made changes - 01/Dec/06 12:59 AM
Resolution Fixed [ 1 ]
Status Resolved [ 5 ] Reopened [ 4 ]
A B made changes - 01/Dec/06 05:57 PM
Attachment d2131_rewrite_v1.patch [ 12346243 ]
A B made changes - 01/Dec/06 05:58 PM
Derby Info [Patch Available]
A B made changes - 01/Dec/06 07:01 PM
Attachment d2131_rewrite_v2.patch [ 12346244 ]
A B made changes - 04/Dec/06 07:36 PM
Derby Info [Patch Available]
A B made changes - 05/Dec/06 05:07 PM
Attachment d2131_10_2.patch [ 12346460 ]
A B made changes - 06/Dec/06 12:18 AM
Fix Version/s 10.2.2.0 [ 12312027 ]
Status Reopened [ 4 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
A B made changes - 11/Dec/06 05:01 PM
Status Resolved [ 5 ] Closed [ 6 ]

Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators