Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-6648

Application code should not be able to call ContextService.getContextOrNull()

    XMLWordPrintableJSON

    Details

    • Urgency:
      Normal
    • Issue & fix info:
      Release Note Needed
    • Bug behavior facts:
      Security

      Description

      By calling ContextService.getContextOrNull() (and its relatives), application code can get its hands on all sorts of internal Derby contexts, factories, and managers. This allows application code to bypass SQL authorization checks and perform sensitive or data-corrupting actions.

      For instance, right now an application can use this method to get its hands on the language connection context. From the lcc, the application can get its hands on the data dictionary and the execution transaction. Armed with those objects, the application can bypass authorization checks and create schema objects, users, and permissions.

      Only Derby code should be able to call this powerful method.

        Attachments

        1. derby-6648-01-aa-oneActionList.diff
          7 kB
          Richard N. Hillegas
        2. derby-6648-01-ab-rototill1.diff
          159 kB
          Richard N. Hillegas
        3. derby-6648-01-ad-rototill1.diff
          159 kB
          Richard N. Hillegas
        4. derby-6648-01-ae-regressionTests.diff
          189 kB
          Richard N. Hillegas
        5. releaseNote.html
          2 kB
          Richard N. Hillegas
        6. derby-6648-02-aa-packagePrivateTests.diff
          0.8 kB
          Richard N. Hillegas
        7. derby-6648-03-aa-monitor.diff
          230 kB
          Richard N. Hillegas
        8. derby-6648-03-ab-monitor.diff
          245 kB
          Richard N. Hillegas
        9. derby-6648-03-ac-monitor.diff
          245 kB
          Richard N. Hillegas
        10. releaseNote.html
          2 kB
          Richard N. Hillegas

          Issue Links

            Activity

              People

              • Assignee:
                rhillegas Richard N. Hillegas
                Reporter:
                rhillegas Richard N. Hillegas
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: