Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-6616

User procedures can call system procedures, circumventing SQL authorization.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 10.11.1.1
    • None
    • SQL
    • None
    • Normal
    • Patch Available, Repro attached
    • Security

    Description

      System procedures are implemented as public static methods in org.apache.derby.catalog.SystemProcedures. These methods can be called by code in user-written procedures. This allows a user-written procedure to circumvent the SQL authorization checks which are supposed to limit some procedures to being called only by the DBO. I will attach a repro.

      Attachments

        1. SystemProcWrapper.java
          0.7 kB
          Richard N. Hillegas
        2. derby-6616-01-ad-reauthorize.diff
          63 kB
          Richard N. Hillegas

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. DERBY-6646 Applications can bypass the authorization checks on SYSCS_EXPORT_TABLE and SYSCS_IMPORT_TABLE by calling Export.exportTable() and Import.importTable() directly

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. DERBY-6648 Application code should not be able to call ContextService.getContextOrNull()

          • Major - Major loss of function.
          • Closed

          Activity

            People

              rhillegas Richard N. Hillegas
              rhillegas Richard N. Hillegas
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: