Return-Path: X-Original-To: apmail-db-derby-dev-archive@www.apache.org Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1D1BF11585 for ; Tue, 26 Aug 2014 14:50:59 +0000 (UTC) Received: (qmail 91228 invoked by uid 500); 26 Aug 2014 14:50:58 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 91203 invoked by uid 500); 26 Aug 2014 14:50:58 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 91189 invoked by uid 99); 26 Aug 2014 14:50:58 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Aug 2014 14:50:58 +0000 Date: Tue, 26 Aug 2014 14:50:58 +0000 (UTC) From: "Knut Anders Hatlen (JIRA)" To: derby-dev@db.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (DERBY-6648) Application code should not be able to call ContextService.getContextOrNull() MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/DERBY-6648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14110773#comment-14110773 ] Knut Anders Hatlen commented on DERBY-6648: ------------------------------------------- I was wondering if one possibility is to have a doPrivileged() call on all public entry-points. Essentially all methods that currently have a setupContextStack()/restoreContextStack() pair. That'd make sure that the protected internal calls could only be called if the Derby code base was entered via our public API. If we have the doPrivileged() calls further down, it may be more difficult to convince oneself that no caller can reach that point after entering the Derby code base via some internal API. If we did that, I guess we would want to limit the top-level doPrivileged() calls to only enable this particular SystemPermission. Unfortunately, it looks like the doPrivileged() overloads that allow you to limit the scope to certain privileges, are only available in Java 8 and higher. (Look for the doPrivileged() methods in AccessController that take a {{Permission... perms}} vararg.) > Application code should not be able to call ContextService.getContextOrNull() > ----------------------------------------------------------------------------- > > Key: DERBY-6648 > URL: https://issues.apache.org/jira/browse/DERBY-6648 > Project: Derby > Issue Type: Bug > Components: Services > Affects Versions: 10.11.1.1 > Reporter: Rick Hillegas > Attachments: derby-6648-01-aa-oneActionList.diff > > > By calling ContextService.getContextOrNull() (and its relatives), application code can get its hands on all sorts of internal Derby contexts, factories, and managers. This allows application code to bypass SQL authorization checks and perform sensitive or data-corrupting actions. > For instance, right now an application can use this method to get its hands on the language connection context. From the lcc, the application can get its hands on the data dictionary and the execution transaction. Armed with those objects, the application can bypass authorization checks and create schema objects, users, and permissions. > Only Derby code should be able to call this powerful method. -- This message was sent by Atlassian JIRA (v6.2#6252)