db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "A B (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-2131) External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs.
Date Fri, 01 Dec 2006 17:58:22 GMT
     [ http://issues.apache.org/jira/browse/DERBY-2131?page=all ]

A B updated DERBY-2131:
-----------------------

    Attachment: d2131_rewrite_v1.patch

Attaching a second patch, d2131_rewrite_v1.patch, that rewrites the privileged block (which
has already been committed) to account for Dan's suggestions.

Regarding "you probably want to catch the PrivilegedExceptionAction and unwrap it. ".  I did
some quick looking at other places in the Derby code where PrivilegedExceptions are caught
and it seems like unwrapping the exception is simply a matter of using the result of "PrivilegedException.getException()"--so
in this case, we throw the result of "getException()" instead of throwing the PrivilegedException
itself.

If this was too simple of an interpretation (ex. if the unwrapping needs to be more extensive
or should be selective to i/o errors), please let me know and I can try again...

> External DTD files are accessed without a privileged block when Derby parses XML values
that reference such DTDs.
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-2131
>                 URL: http://issues.apache.org/jira/browse/DERBY-2131
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.2.1.6, 10.3.0.0, 10.2.2.0, 10.2.1.8
>            Reporter: A B
>         Assigned To: A B
>             Fix For: 10.3.0.0
>
>         Attachments: d2131_rewrite_v1.patch, d2131_v1.patch
>
>
> The Derby XMLPARSE operator ultimately makes a call to an external JAXP parser (ex. Xerces
or Crimson) to parse an XML value.  If the XML value that is being parsed references an external
DTD, then the JAXP parser will need to read the DTD file to complete parsing.  However, the
current code in SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP
parser.  As a result, when a user who is running with a security manager tries to insert a
document that references an external DTD, the call to XMLPARSE will fail with a security exception--even
if the JAXP parser has the required "read" permissions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message