[ 
https://issues.apache.org/jira/browse/DERBY-6648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14056457#comment-14056457
 ] 

Rick Hillegas commented on DERBY-6648:
--------------------------------------

Knut suggests the following solution:

1) Whenever ContextService looks up a context, it should check that a Derby 
SystemPermission( "lookupContext" ) has been granted.

2) We should tell users to grant that permission to the engine jar.

We would want to verify that this does not degrade performance. We may need to 
make sure that contexts are cached and not looked up for every iteration of 
inner loops on the main execution path.

> Application code should not be able to call ContextService.getContextOrNull()
> -----------------------------------------------------------------------------
>
>                 Key: DERBY-6648
>                 URL: https://issues.apache.org/jira/browse/DERBY-6648
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 10.11.0.0
>            Reporter: Rick Hillegas
>
> By calling ContextService.getContextOrNull() (and its relatives), application 
> code can get its hands on all sorts of internal Derby contexts, factories, 
> and managers. This allows application code to bypass SQL authorization checks 
> and perform sensitive or data-corrupting actions.
> For instance, right now an application can use this method to get its hands 
> on the language connection context. From the lcc, the application can get its 
> hands on the data dictionary and the execution transaction. Armed with those 
> objects, the application can bypass authorization checks and create schema 
> objects, users, and permissions.
> Only Derby code should be able to call this powerful method.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to