[
https://issues.apache.org/jira/browse/DERBY-6648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14111217#comment-14111217
]
Rick Hillegas commented on DERBY-6648:
--------------------------------------
Moving the doPrivileged() blocks further up the stack may be the way forward.
Everyone who calls a static ContextService method would have to do so inside a
doPrivileged() block. We would treat ContextService calls the way we treat
calls to java.io.File methods. It's a sizable rototill, but not impossible.
> Application code should not be able to call ContextService.getContextOrNull()
> -----------------------------------------------------------------------------
>
> Key: DERBY-6648
> URL: https://issues.apache.org/jira/browse/DERBY-6648
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Attachments: derby-6648-01-aa-oneActionList.diff
>
>
> By calling ContextService.getContextOrNull() (and its relatives), application
> code can get its hands on all sorts of internal Derby contexts, factories,
> and managers. This allows application code to bypass SQL authorization checks
> and perform sensitive or data-corrupting actions.
> For instance, right now an application can use this method to get its hands
> on the language connection context. From the lcc, the application can get its
> hands on the data dictionary and the execution transaction. Armed with those
> objects, the application can bypass authorization checks and create schema
> objects, users, and permissions.
> Only Derby code should be able to call this powerful method.
--
This message was sent by Atlassian JIRA
(v6.2#6252)