Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-4292

creation of FileInputStream in org.apache.derby.impl.tools.ij.Main not wrapped in privilege block which can cause problems running under SecurityManager

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 10.1.3.1, 10.2.2.0, 10.3.2.1, 10.4.2.0, 10.5.1.1, 10.6.1.0
    • 10.5.3.0, 10.6.1.0
    • Tools
    • None
    • Normal
    • High Value Fix, Newcomer, Repro attached
    • Security

    Description

      org.apache.derby.impl.tools.ij.Main has this code where the call to FileInputStream is not wrapped in a privilege block:

      try {
      in1 = new FileInputStream(file);
      if (in1 != null)

      { in1 = new BufferedInputStream(in1, utilMain.BUFFEREDFILESIZE); in = langUtil.getNewInput(in1); }

      } catch (FileNotFoundException e) {
      if (Boolean.getBoolean("ij.searchClassPath"))

      { in = langUtil.getNewInput(util.getResourceAsStream(file)); }

      This can cause issues when running under SecurityManager

      Attachments

        1. derby4292.zip
          3 kB
          Katherine Marsden
        2. derby4292.zip
          5 kB
          Katherine Marsden
        3. DERBY-4292-Fix.patch
          2 kB
          Tiago R. Espinha
        4. DERBY-4292-Fix.patch
          2 kB
          Tiago R. Espinha
        5. DERBY-4292-Fix.patch
          1 kB
          Tiago R. Espinha
        6. DERBY-4292-ReproTest.patch
          7 kB
          Tiago R. Espinha
        7. DERBY-4292-ReproTest.patch
          7 kB
          Tiago R. Espinha
        8. DERBY-4292-ReproTest.patch
          3 kB
          Tiago R. Espinha
        9. run.out.debugall
          34 kB
          Katherine Marsden

        Activity

          People

            espinha Tiago R. Espinha
            kmarsden Katherine Marsden
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: