db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "A B (JIRA)" <j...@apache.org>
Subject [jira] Created: (DERBY-2131) External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs.
Date Wed, 29 Nov 2006 23:09:21 GMT
External DTD files are accessed without a privileged block when Derby parses XML values that
reference such DTDs.
-----------------------------------------------------------------------------------------------------------------

                 Key: DERBY-2131
                 URL: http://issues.apache.org/jira/browse/DERBY-2131
             Project: Derby
          Issue Type: Bug
          Components: SQL
    Affects Versions: 10.2.1.6, 10.2.1.8, 10.2.2.0, 10.3.0.0
            Reporter: A B
         Assigned To: A B


The Derby XMLPARSE operator ultimately makes a call to an external JAXP parser (ex. Xerces
or Crimson) to parse an XML value.  If the XML value that is being parsed references an external
DTD, then the JAXP parser will need to read the DTD file to complete parsing.  However, the
current code in SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP
parser.  As a result, when a user who is running with a security manager tries to insert a
document that references an external DTD, the call to XMLPARSE will fail with a security exception--even
if the JAXP parser has the required "read" permissions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message