| Key: |
DERBY-2131
|
| Type: |
Bug
|
| Status: |
Closed
|
| Resolution: |
Fixed
|
| Priority: |
Major
|
| Assignee: |
A B
|
| Reporter: |
A B
|
| Votes: |
0
|
| Watchers: |
0
|
|
If you were logged in you would be able to see more operations.
|
|
|
|
File Attachments:
|
|
|
Issue Links:
|
Blocker
|
|
This issue blocks:
|
|
DERBY-1758
Enable xmlSuite to run as part of derbyall in environments that have the required external jars.
|
|
|
|
|
|
|
|
| Resolution Date: |
06/Dec/06 12:18 AM
|
|
The Derby XMLPARSE operator ultimately makes a call to an external JAXP parser (ex. Xerces or Crimson) to parse an XML value. If the XML value that is being parsed references an external DTD, then the JAXP parser will need to read the DTD file to complete parsing. However, the current code in SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP parser. As a result, when a user who is running with a security manager tries to insert a document that references an external DTD, the call to XMLPARSE will fail with a security exception--even if the JAXP parser has the required "read" permissions.
|
|
Description
|
The Derby XMLPARSE operator ultimately makes a call to an external JAXP parser (ex. Xerces or Crimson) to parse an XML value. If the XML value that is being parsed references an external DTD, then the JAXP parser will need to read the DTD file to complete parsing. However, the current code in SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP parser. As a result, when a user who is running with a security manager tries to insert a document that references an external DTD, the call to XMLPARSE will fail with a security exception--even if the JAXP parser has the required "read" permissions. |
Show » |
| No work has yet been logged on this issue.
|
|
