Rick Hillegas created DERBY-6616:
------------------------------------
Summary: User procedures can call system procedures, circumventing
SQL authorization.
Key: DERBY-6616
URL: https://issues.apache.org/jira/browse/DERBY-6616
Project: Derby
Issue Type: Bug
Components: SQL
Affects Versions: 10.11.0.0
Reporter: Rick Hillegas
System procedures are implemented as public static methods in
org.apache.derby.catalog.SystemProcedures. These methods can be called by code
in user-written procedures. This allows a user-written procedure to circumvent
the SQL authorization checks which are supposed to limit some procedures to
being called only by the DBO. I will attach a repro.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
