Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 15820 invoked from network); 6 Dec 2006 00:19:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Dec 2006 00:19:46 -0000 Received: (qmail 36996 invoked by uid 500); 6 Dec 2006 00:19:53 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 36973 invoked by uid 500); 6 Dec 2006 00:19:53 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 36960 invoked by uid 99); 6 Dec 2006 00:19:53 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Dec 2006 16:19:53 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Dec 2006 16:19:44 -0800 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id BCAB57142BF for ; Tue, 5 Dec 2006 16:19:23 -0800 (PST) Message-ID: <38448.1165364363770.JavaMail.jira@brutus> Date: Tue, 5 Dec 2006 16:19:23 -0800 (PST) From: "A B (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Resolved: (DERBY-2131) External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs. In-Reply-To: <3285143.1164841761126.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ http://issues.apache.org/jira/browse/DERBY-2131?page=all ] A B resolved DERBY-2131. ------------------------ Fix Version/s: 10.2.2.0 Resolution: Fixed derbyall ran cleanly with 10.2 jars after applying this patch. And the XML tests in suites.xmlSuite all ran cleanly, as well. So I committed d2131_10_2.patch with svn 482837. > External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs. > ----------------------------------------------------------------------------------------------------------------- > > Key: DERBY-2131 > URL: http://issues.apache.org/jira/browse/DERBY-2131 > Project: Derby > Issue Type: Bug > Components: SQL > Affects Versions: 10.2.1.6, 10.2.1.8, 10.2.2.0, 10.3.0.0 > Reporter: A B > Assigned To: A B > Fix For: 10.2.2.0, 10.3.0.0 > > Attachments: d2131_10_2.patch, d2131_rewrite_v1.patch, d2131_rewrite_v2.patch, d2131_v1.patch > > > The Derby XMLPARSE operator ultimately makes a call to an external JAXP parser (ex. Xerces or Crimson) to parse an XML value. If the XML value that is being parsed references an external DTD, then the JAXP parser will need to read the DTD file to complete parsing. However, the current code in SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP parser. As a result, when a user who is running with a security manager tries to insert a document that references an external DTD, the call to XMLPARSE will fail with a security exception--even if the JAXP parser has the required "read" permissions. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira