[
https://issues.apache.org/jira/browse/DERBY-6648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rick Hillegas updated DERBY-6648:
---------------------------------
Attachment: derby-6648-01-ab-rototill1.diff
Attaching derby-6648-01-ab-rototill1.diff. This is an evolution of the previous
patch. I am running tests now.
This patch does the following:
1) Makes the public static entry points of ContextService require the
usederbyinternals permission.
2) Rototills private (or package protected) doPrivileged blocks around all of
the callers of those static entry points.
3) Adjusts policy files accordingly.
I have verified that, with this patch, user code can't invoke the static public
entry points of ContextService when running with a SecurityManager installed.
This patch is not ready for commit. Regression tests are needed for this
feature. In addition, it's likely that more adjustments need to be made to test
policy files.
Touches the following files:
-----------------------
M java/engine/org/apache/derby/iapi/security/SecurityUtil.java
M java/engine/org/apache/derby/iapi/services/context/ContextService.java
Changes for 1.
-----------------------
M java/engine/org/apache/derby/iapi/sql/conn/ConnectionUtil.java
M java/engine/org/apache/derby/iapi/sql/dictionary/SPSDescriptor.java
M java/engine/org/apache/derby/iapi/sql/dictionary/IndexRowGenerator.java
M java/engine/org/apache/derby/iapi/sql/dictionary/TableDescriptor.java
M java/engine/org/apache/derby/iapi/sql/dictionary/TriggerDescriptor.java
M java/engine/org/apache/derby/iapi/services/io/FormatIdInputStream.java
M java/engine/org/apache/derby/iapi/types/SQLTime.java
M java/engine/org/apache/derby/iapi/types/SQLTimestamp.java
M java/engine/org/apache/derby/iapi/types/ClobStreamHeaderGenerator.java
M java/engine/org/apache/derby/iapi/types/SQLChar.java
M java/engine/org/apache/derby/iapi/types/SQLDate.java
M java/engine/org/apache/derby/iapi/types/SQLBinary.java
M java/engine/org/apache/derby/iapi/types/DataValueFactoryImpl.java
M java/engine/org/apache/derby/iapi/types/NumberDataType.java
M java/engine/org/apache/derby/iapi/store/access/DiskHashtable.java
M java/engine/org/apache/derby/iapi/util/InterruptStatus.java
M
java/engine/org/apache/derby/impl/sql/compile/MaxMinAggregateDefinition.java
M java/engine/org/apache/derby/impl/sql/compile/QueryTreeNode.java
M
java/engine/org/apache/derby/impl/sql/compile/SumAvgAggregateDefinition.java
M java/engine/org/apache/derby/impl/sql/compile/OptimizerTracer.java
M
java/engine/org/apache/derby/impl/sql/compile/UserAggregateDefinition.java
M
java/engine/org/apache/derby/impl/sql/GenericStorablePreparedStatement.java
M java/engine/org/apache/derby/impl/sql/execute/JarUtil.java
M
java/engine/org/apache/derby/impl/sql/execute/GenericConstantActionFactory.java
M java/engine/org/apache/derby/impl/sql/GenericPreparedStatement.java
M java/engine/org/apache/derby/impl/sql/LanguageDbPropertySetter.java
M java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
M java/engine/org/apache/derby/impl/sql/catalog/SequenceUpdater.java
M
java/engine/org/apache/derby/impl/jdbc/authentication/AuthenticationServiceBase.java
M
java/engine/org/apache/derby/impl/services/daemon/SingleThreadDaemonFactory.java
M
java/engine/org/apache/derby/impl/services/daemon/IndexStatisticsDaemonImpl.java
M java/engine/org/apache/derby/impl/services/reflect/UpdateLoader.java
M java/engine/org/apache/derby/impl/services/monitor/BaseMonitor.java
M java/engine/org/apache/derby/impl/services/locks/Deadlock.java
M java/engine/org/apache/derby/impl/services/locks/Timeout.java
M java/engine/org/apache/derby/impl/db/SlaveDatabase.java
M java/engine/org/apache/derby/impl/db/BasicDatabase.java
M java/engine/org/apache/derby/impl/db/DatabaseContextImpl.java
M java/engine/org/apache/derby/impl/store/access/RAMAccessManager.java
M java/engine/org/apache/derby/impl/store/raw/xact/XactFactory.java
M java/engine/org/apache/derby/impl/store/raw/log/LogToFile.java
M java/engine/org/apache/derby/impl/store/raw/RawStore.java
M
java/engine/org/apache/derby/impl/store/raw/data/StreamFileContainer.java
M java/engine/org/apache/derby/impl/store/raw/data/FileContainer.java
M java/engine/org/apache/derby/impl/store/raw/data/RFResource.java
M java/engine/org/apache/derby/impl/store/raw/data/D_DiagnosticUtil.java
M java/engine/org/apache/derby/jdbc/EmbeddedDriver.java
M java/engine/org/apache/derby/jdbc/EmbedXAResource.java
M java/engine/org/apache/derby/jdbc/InternalDriver.java
M java/engine/org/apache/derby/diag/DiagUtil.java
M java/engine/org/apache/derby/diag/StatementCache.java
M java/engine/org/apache/derby/security/SystemPermission.java
M java/engine/org/apache/derby/catalog/Java5SystemProcedures.java
Changes for 2.
-----------------------
M java/drda/org/apache/derby/drda/server.policy
M java/drda/org/apache/derby/drda/template.policy
M java/testing/org/apache/derbyTesting/unitTests/harness/T_Bomb.java
M
java/testing/org/apache/derbyTesting/unitTests/harness/BasicUnitTestManager.java
M
java/testing/org/apache/derbyTesting/unitTests/junit/MissingPermissionsTest1.policy
M
java/testing/org/apache/derbyTesting/unitTests/junit/MissingPermissionsTest2.policy
M
java/testing/org/apache/derbyTesting/unitTests/junit/SystemPrivilegesPermissionTest.policy
M
java/testing/org/apache/derbyTesting/unitTests/junit/MissingPermissionsTest.policy
M
java/testing/org/apache/derbyTesting/unitTests/junit/SystemPrivilegesPermissionTest1.policy
M java/testing/org/apache/derbyTesting/unitTests/store/T_b2i.java
M java/testing/org/apache/derbyTesting/unitTests/store/T_Heap.java
M
java/testing/org/apache/derbyTesting/unitTests/store/T_FileSystemData.java
M
java/testing/org/apache/derbyTesting/unitTests/store/T_RecoverBadLog.java
M
java/testing/org/apache/derbyTesting/unitTests/store/T_AccessFactory.java
M
java/testing/org/apache/derbyTesting/unitTests/store/T_RecoverFullLog.java
M java/testing/org/apache/derbyTesting/unitTests/store/T_StreamFile.java
M
java/testing/org/apache/derbyTesting/unitTests/store/T_SortController.java
M java/testing/org/apache/derbyTesting/unitTests/store/T_Recovery.java
M
java/testing/org/apache/derbyTesting/unitTests/store/T_RawStoreFactory.java
M java/testing/org/apache/derbyTesting/unitTests/store/T_XA.java
M
java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.unreloadable.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/lang/resultSetReader.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/lang/luceneSupport.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/jdbc4/noAbortPermission.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/LDAPTests.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/store/Derby3980DeadlockTest.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/engine/noDeregisterPermission.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/ServerPropertiesTest.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/SysinfoTest.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/RuntimeInfoTest.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/GetCurrentPropertiesTest.policy
M
java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/SecureServerTest.policy
M
java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy
M
java/testing/org/apache/derbyTesting/functionTests/util/T_ConsistencyChecker.java
M
java/testing/org/apache/derbyTesting/functionTests/util/PropertyUtil.java
Changes for 3.
> Application code should not be able to call ContextService.getContextOrNull()
> -----------------------------------------------------------------------------
>
> Key: DERBY-6648
> URL: https://issues.apache.org/jira/browse/DERBY-6648
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Attachments: derby-6648-01-aa-oneActionList.diff,
> derby-6648-01-ab-rototill1.diff
>
>
> By calling ContextService.getContextOrNull() (and its relatives), application
> code can get its hands on all sorts of internal Derby contexts, factories,
> and managers. This allows application code to bypass SQL authorization checks
> and perform sensitive or data-corrupting actions.
> For instance, right now an application can use this method to get its hands
> on the language connection context. From the lcc, the application can get its
> hands on the data dictionary and the execution transaction. Armed with those
> objects, the application can bypass authorization checks and create schema
> objects, users, and permissions.
> Only Derby code should be able to call this powerful method.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
