db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-5357) SQLJ.INSTALL_JAR shouldn't use identifier as file name
Date Mon, 05 Mar 2012 16:19:57 GMT

    [ https://issues.apache.org/jira/browse/DERBY-5357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13222431#comment-13222431
] 

Dag H. Wanvik commented on DERBY-5357:
--------------------------------------

Thanks, Mike and Rick! 
I bit the bullet. Uploading a new proof-of-concept patch which introduces a new naming scheme,
with full upgrade of old jar file storage at hard upgrade time. At soft upgrade time, the
old code is still used. Still haven't written tests. I have done away with the schema subdirectories
altogether and base the new scheme on uuids:

Old style file name:   jar/<schema>/<name>.jar.<version>
New style file name:  jar/<uuid>-<safe schema>-<safe name>.jar.<version>

I included schema and name (sanitized) in the name for ease of debugging. Perhaps we might
remove that if we fear users manually tampering with the stored jars..

Running regressions.

                
> SQLJ.INSTALL_JAR shouldn't use identifier as file name
> ------------------------------------------------------
>
>                 Key: DERBY-5357
>                 URL: https://issues.apache.org/jira/browse/DERBY-5357
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.9.0.0
>            Reporter: Knut Anders Hatlen
>            Assignee: Dag H. Wanvik
>              Labels: derby_triage10_9
>         Attachments: derby-5357.diff, derby-5357.stat
>
>
> When installing a jar file with the SQLJ.INSTALL_JAR procedure, it will copy the jar
file to a subdirectory of the database directory. The name of the stored jar file is based
on the qualified name specified by the second parameter in the procedure, and becomes something
like: <DBDIR>/jar/<SCHEMA>/<JAR_NAME>.jar.<VERSION>
> This naming scheme is problematic because the qualified name of the jar file is an SQL
identifier and may contain any characters, also characters with special meaning to the underlying
file system.
> One example is this call:
> ij> call sqlj.install_jar('/path/to/toursdb.jar', 'APP."../../../x/jar"', 0);
> 0 rows inserted/updated/deleted
> On Unix-like systems, this will install the jar in a subdirectory of the database directory's
parent directory, which is clearly unfortunate as the database directory should be self-contained
(an assumption used when taking backup of a database using operating system commands, or when
moving the database to another location).
> There's probably also a possibility that INSTALL_JAR fails if the identifier contains
a character that's not allowed in file names on the platform.
> It would be better if the jars were stored in a file whose name is independent of the
identifier used, so that any valid SQL identifier could be used to name a jar file in the
database without causing problems.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message