Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
10.11.1.1
-
None
-
None
-
Normal
-
Patch Available, Repro attached
-
Security
Description
System procedures are implemented as public static methods in org.apache.derby.catalog.SystemProcedures. These methods can be called by code in user-written procedures. This allows a user-written procedure to circumvent the SQL authorization checks which are supposed to limit some procedures to being called only by the DBO. I will attach a repro.
Attachments
Attachments
Issue Links
- is related to
-
DERBY-6646 Applications can bypass the authorization checks on SYSCS_EXPORT_TABLE and SYSCS_IMPORT_TABLE by calling Export.exportTable() and Import.importTable() directly
- Closed
-
DERBY-6648 Application code should not be able to call ContextService.getContextOrNull()
- Closed