db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel John Debrunner (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3083) Network server demands a file called "derbynet.jar" in classpath
Date Mon, 19 Nov 2007 18:31:43 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543631
] 

Daniel John Debrunner commented on DERBY-3083:
----------------------------------------------

I hope the default policy for the network server is not granting permissions to derbytools,
derbyclient or derbytesting. The original spec had carefully limited permissions intended
to support running the network server.

The use of properties for the jar files names in the policy files increases a security hole,
now if any code can intercept the property setting then it allows that code to grant the permissions
intended for Derby to any jar on the file system. By limiting the name to derbynet.jar (etc.)
that hole is reduced. To support maven maybe the name could be ${derby.install.url}derbynet${version}.jar

> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>
>                 Key: DERBY-3083
>                 URL: https://issues.apache.org/jira/browse/DERBY-3083
>             Project: Derby
>          Issue Type: Bug
>          Components: Tools
>    Affects Versions: 10.3.1.4
>            Reporter: Aaron Digulla
>         Attachments: derby-716-10-datatypesCollation-aa.diff
>
>
> The network server will not start if the derbynet jar is added under a different name
than "derbynet.jar" to the classpath. This makes it impossible to use it in maven projects
where the jar is renamed to "derbynet-10.3.1.4.jar".
> This did work with 10.2.2.0

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message