db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DERBY-6616) User procedures can call system procedures, circumventing SQL authorization.
Date Tue, 17 Jun 2014 13:33:01 GMT
Rick Hillegas created DERBY-6616:
------------------------------------

             Summary: User procedures can call system procedures, circumventing SQL authorization.
                 Key: DERBY-6616
                 URL: https://issues.apache.org/jira/browse/DERBY-6616
             Project: Derby
          Issue Type: Bug
          Components: SQL
    Affects Versions: 10.11.0.0
            Reporter: Rick Hillegas


System procedures are implemented as public static methods in org.apache.derby.catalog.SystemProcedures.
These methods can be called by code in user-written procedures. This allows a user-written
procedure to circumvent the SQL authorization checks which are supposed to limit some procedures
to being called only by the DBO. I will attach a repro.




--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message