db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6616) User procedures can call system procedures, circumventing SQL authorization.
Date Thu, 10 Jul 2014 16:52:06 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14057661#comment-14057661
] 

ASF subversion and git services commented on DERBY-6616:
--------------------------------------------------------

Commit 1609501 from [~rhillegas] in branch 'code/trunk'
[ https://svn.apache.org/r1609501 ]

DERBY-6616: Prevent applications from bypassing SQL authorization by directly calling system
procedure entry points; commit derby-6616-01-ad-reauthorize.diff.

> User procedures can call system procedures, circumventing SQL authorization.
> ----------------------------------------------------------------------------
>
>                 Key: DERBY-6616
>                 URL: https://issues.apache.org/jira/browse/DERBY-6616
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.11.0.0
>            Reporter: Rick Hillegas
>            Assignee: Rick Hillegas
>         Attachments: SystemProcWrapper.java, derby-6616-01-ad-reauthorize.diff
>
>
> System procedures are implemented as public static methods in org.apache.derby.catalog.SystemProcedures.
These methods can be called by code in user-written procedures. This allows a user-written
procedure to circumvent the SQL authorization checks which are supposed to limit some procedures
to being called only by the DBO. I will attach a repro.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message