db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DERBY-6654) Require that generated code live in the org.apache.derby.exe package.
Date Fri, 19 Sep 2014 19:16:33 GMT

     [ https://issues.apache.org/jira/browse/DERBY-6654?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Rick Hillegas updated DERBY-6654:
    Attachment: derby-6654-01-aa-requireCorrectPackage.diff

Attaching derby-6654-01-aa-requireCorrectPackage.diff. This patch adds a check to the class
loader for generated byte code to verify that the class lives in the org.apache.derby.exe
package. I will run tests.

Touches the following files:


M       java/engine/org/apache/derby/impl/services/reflect/ReflectClassesJava2.java

Added the check.


M       java/testing/org/apache/derbyTesting/functionTests/tests/lang/_Suite.java
A       java/testing/org/apache/derbyTesting/functionTests/tests/lang/ClassLoadingTest.java

Test for this behavior.

> Require that generated code live in the org.apache.derby.exe package.
> ---------------------------------------------------------------------
>                 Key: DERBY-6654
>                 URL: https://issues.apache.org/jira/browse/DERBY-6654
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions:
>            Reporter: Rick Hillegas
>            Assignee: Rick Hillegas
>         Attachments: derby-6654-01-aa-requireCorrectPackage.diff
> We require that generated code must implement Activation. This helps prevent applications
from using Derby's class loaders to load arbitrary classes. We should also require that generated
code live in the org.apache.derby.exe package. This will prevent applications from loading
 highly privileged code using Derby class loaders.

This message was sent by Atlassian JIRA

View raw message