[jira] [Updated] (DERBY-6616) User procedures can call system procedures, circumventing SQL authorization.

Rick Hillegas (JIRA) Mon, 07 Jul 2014 13:03:06 -0700

     [ 
https://issues.apache.org/jira/browse/DERBY-6616?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Rick Hillegas updated DERBY-6616:
---------------------------------

    Attachment: derby-6616-01-ad-reauthorize.diff

Attaching a candidate patch for this issue. Needs to be tested and debugged 
before I describe it.

> User procedures can call system procedures, circumventing SQL authorization.
> ----------------------------------------------------------------------------
>
>                 Key: DERBY-6616
>                 URL: https://issues.apache.org/jira/browse/DERBY-6616
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.11.0.0
>            Reporter: Rick Hillegas
>            Assignee: Rick Hillegas
>         Attachments: SystemProcWrapper.java, derby-6616-01-ad-reauthorize.diff
>
>
> System procedures are implemented as public static methods in 
> org.apache.derby.catalog.SystemProcedures. These methods can be called by 
> code in user-written procedures. This allows a user-written procedure to 
> circumvent the SQL authorization checks which are supposed to limit some 
> procedures to being called only by the DBO. I will attach a repro.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Updated] (DERBY-6616) User procedures can call system procedures, circumventing SQL authorization.

Reply via email to