Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 67709 invoked from network); 4 Jul 2009 23:10:59 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 4 Jul 2009 23:10:59 -0000 Received: (qmail 33132 invoked by uid 500); 4 Jul 2009 23:11:10 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 33078 invoked by uid 500); 4 Jul 2009 23:11:09 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 33070 invoked by uid 99); 4 Jul 2009 23:11:09 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 04 Jul 2009 23:11:09 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 04 Jul 2009 23:11:07 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 534DC234C046 for ; Sat, 4 Jul 2009 16:10:47 -0700 (PDT) Message-ID: <804513064.1246749047339.JavaMail.jira@brutus> Date: Sat, 4 Jul 2009 16:10:47 -0700 (PDT) From: "Tiago R. Espinha (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Updated: (DERBY-4292) creation of FileInputStream in org.apache.derby.impl.tools.ij.Main not wrapped in privilege block which can cause problems running under SecurityManager In-Reply-To: <858509740.1245959047348.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/DERBY-4292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Tiago R. Espinha updated DERBY-4292: ------------------------------------ Attachment: DERBY-4292-ReproTest.patch DERBY-4292-Fix.patch I'm submitting two files to this issue. The ReproTest contains a test that reproduces the flaw. If this patch is applied and the test is ran *without* the fix, it should fail. This acknowledges the existence of the flaw. The fix simply wraps the 'offending' code in a privilege block, making the repro test pass. There's one issue with the test: since I am invoking ij manually from within the fixture, the output gets printed to the console. Does anyone have any suggestions to mute this output? We don't really need to see the output since we can handle the exception instead, in case it throws one. It needs also to be noted that the policy file being used is the already existent util/derby_tests.policy since it serves the purpose of the test. However, a new file (tools/IjSecurityManagerTest.sql) is added that is used to reproduce the failure. > creation of FileInputStream in org.apache.derby.impl.tools.ij.Main not wrapped in privilege block which can cause problems running under SecurityManager > --------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: DERBY-4292 > URL: https://issues.apache.org/jira/browse/DERBY-4292 > Project: Derby > Issue Type: Bug > Components: Tools > Affects Versions: 10.1.3.1, 10.2.2.0, 10.3.2.1, 10.4.2.0, 10.5.1.1, 10.6.0.0 > Reporter: Kathey Marsden > Assignee: Tiago R. Espinha > Attachments: DERBY-4292-Fix.patch, DERBY-4292-ReproTest.patch, derby4292.zip > > > org.apache.derby.impl.tools.ij.Main has this code where the call to FileInputStream is not wrapped in a privilege block: > try { > in1 = new FileInputStream(file); > if (in1 != null) { > in1 = new BufferedInputStream(in1, utilMain.BUFFEREDFILESIZE); > in = langUtil.getNewInput(in1); > } > } catch (FileNotFoundException e) { > if (Boolean.getBoolean("ij.searchClassPath")) { > in = langUtil.getNewInput(util.getResourceAsStream(file)); > } > This can cause issues when running under SecurityManager -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.