[DERBY-2131] External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2.1.6, 10.2.2.0, 10.3.1.4
Fix Version/s: 10.2.2.0, 10.3.1.4
Component/s: SQL
Labels:
None

Description

The Derby XMLPARSE operator ultimately makes a call to an external JAXP parser (ex. Xerces or Crimson) to parse an XML value. If the XML value that is being parsed references an external DTD, then the JAXP parser will need to read the DTD file to complete parsing. However, the current code in SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP parser. As a result, when a user who is running with a security manager tries to insert a document that references an external DTD, the call to XMLPARSE will fail with a security exception--even if the JAXP parser has the required "read" permissions.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

d2131_10_2.patch
05/Dec/06 17:07
2 kB
A B
d2131_rewrite_v2.patch
01/Dec/06 19:01
3 kB
A B
d2131_rewrite_v1.patch
01/Dec/06 17:57
3 kB
A B
d2131_v1.patch
29/Nov/06 23:10
2 kB
A B

Issue Links

blocks

DERBY-1758 Enable xmlSuite to run as part of derbyall in environments that have the required external jars.

Closed

relates to

DERBY-6807 XXE attack possible by using XmlVTI and the XML datatype

Closed

Activity

People

Assignee:: A B

Reporter:: A B

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 29/Nov/06 23:08

Updated:: 28/Jun/15 21:32

Resolved:: 06/Dec/06 00:18