Derby
  1. Derby
  2. DERBY-5352

Derby table functions stored in a jar file inside the database which implement VTICosting or RestrictedVTI fail with ClassNotFoundException

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 10.8.1.2
    • Fix Version/s: 10.8.2.2, 10.9.1.0
    • Component/s: SQL
    • Labels:
      None
    • Urgency:
      Urgent

      Description

      Derby table functions stored in a jar file inside the database which implement VTICosting or RestrictedVTI fail with ClassNotFoundException. This occurs when you attempt to query the table function. If you put the JAR on the classpath instead, then the table function can be accessed correctly.

      I believe the problem is in JarLoader.java which has:

      // Classes in installed jars cannot reference
      // Derby internal code. This is to avoid
      // code in installed jars bypassing SQL
      // authorization by calling Derby's internal methods.
      //
      // Any classes in the org.apache.derby.jdbc package
      // are allowed as it allows routines to make JDBC
      // connections to other databases. This does expose
      // public classes in that package that are not part
      // of the public api to attacks. One could attempt
      // further limiting allowed classes to those starting
      // with Embedded (and Client) but when fetching the
      // default connection in a routine (jdbc:default:connection)
      // the DriverManager attempts a load of the already loaded
      // AutoloadDriver, I think to establish the calling class
      // has access to the driver.
      //
      // This check in addition to the one in UpdateLoader
      // that prevents restricted classes from being loaded
      // from installed jars. The checks should be seen as
      // independent, ie. the restricted load check should
      // not make assumptions about this check reducing the
      // number of classes it has to check for.
      if (className.startsWith("org.apache.derby.")
      && !className.startsWith("org.apache.derby.jdbc."))

      { ClassNotFoundException cnfe = new ClassNotFoundException(className); //cnfe.printStackTrace(System.out); throw cnfe; }

      Which explicitly restricts access to the org.apache.derby package except for org.apache.derby.jdbc. I have debugged this and if change this to:

      // Classes in installed jars cannot reference
      // Derby internal code. This is to avoid
      // code in installed jars bypassing SQL
      // authorization by calling Derby's internal methods.
      if (className.startsWith("org.apache.derby.")
      && !className.startsWith("org.apache.derby.jdbc.")
      && !className.startsWith("org.apache.derby.vti."))
      { ClassNotFoundException cnfe = new ClassNotFoundException(className); //cnfe.printStackTrace(System.out); throw cnfe; }

      The access is allowed.

      1. derby-5352.diff
        0.8 kB
        Brett Bergquist
      2. derby-5352-01-ab-fixWithRegressionTest.diff
        4 kB
        Rick Hillegas

        Issue Links

          Activity

            People

            • Assignee:
              Brett Bergquist
              Reporter:
              Brett Bergquist
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development