db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3083) Network server demands a file called "derbynet.jar" in classpath
Date Mon, 19 Nov 2007 22:13:43 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543706
] 

Rick Hillegas commented on DERBY-3083:
--------------------------------------

Thanks for the clarification, Dan. By "private to Derby" I mean that the properties cannot
be overridden by any scheme that I'm aware of. For instance, someone could try to override
the properties on the boot command line--but these overrides would be ignored because Derby
would forcibly set the properties to values it calculated.

Fixing DERBY-2362 could reduce the vulnerability. However, I don't understand how to fix DERBY-2362.
The solutions which come to my mind seem to have the same small windows of vulnerability which
we're discussing here. If we could figure out how those windows could in fact be exploited
then we might be able to talk about a solution.

As you note, if there is a way to exploit this window, then it can be used to subvert the
value of "derby.install.url" today. The incremental exposure seems very small to me.

> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>
>                 Key: DERBY-3083
>                 URL: https://issues.apache.org/jira/browse/DERBY-3083
>             Project: Derby
>          Issue Type: Bug
>          Components: Tools
>    Affects Versions: 10.3.1.4
>            Reporter: Aaron Digulla
>         Attachments: derby-716-10-datatypesCollation-aa.diff
>
>
> The network server will not start if the derbynet jar is added under a different name
than "derbynet.jar" to the classpath. This makes it impossible to use it in maven projects
where the jar is renamed to "derbynet-10.3.1.4.jar".
> This did work with 10.2.2.0

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message