Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-2330

Disallow user-defined SQL routines to resolve to entry points (methods in classes) in the org.apache.derby.* namespace

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 10.3.1.4
    • Component/s: SQL
    • Labels:
      None
    • Issue & fix info:
      Release Note Needed
    • Bug behavior facts:
      Security

      Description

      Disallowing routines from accessing Derby code directly stops the potential of remote code exploiting any security holes in Derby.

      Derby code can be seen as a special case since it is known that the Derby code will be on the classpath.

      Disallowing such routines makes security analysis easier and safer rather than trying to guarantee every public static method in Derby can not expose secured information.

      Routines in existing applications (in upgraded databases) that map to such Derby methods will fail at execute time.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                djd Daniel John Debrunner
                Reporter:
                djd Daniel John Debrunner
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: