[
https://issues.apache.org/jira/browse/DERBY-6648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rick Hillegas updated DERBY-6648:
---------------------------------
Attachment: releaseNote.html
Attaching the first rev of the release note.
I am inclined to not back port this fix to 10.11 or earlier releases because of
the backward incompatibility described in the release note (policy files must
grant derby.jar an additional permission). However, other people may feel that
this vulnerability is serious enough to warrant backporting the fix to earlier
releases. I welcome other opinions.
> Application code should not be able to call ContextService.getContextOrNull()
> -----------------------------------------------------------------------------
>
> Key: DERBY-6648
> URL: https://issues.apache.org/jira/browse/DERBY-6648
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Attachments: derby-6648-01-aa-oneActionList.diff,
> derby-6648-01-ab-rototill1.diff, derby-6648-01-ad-rototill1.diff,
> derby-6648-01-ae-regressionTests.diff, releaseNote.html
>
>
> By calling ContextService.getContextOrNull() (and its relatives), application
> code can get its hands on all sorts of internal Derby contexts, factories,
> and managers. This allows application code to bypass SQL authorization checks
> and perform sensitive or data-corrupting actions.
> For instance, right now an application can use this method to get its hands
> on the language connection context. From the lcc, the application can get its
> hands on the data dictionary and the execution transaction. Armed with those
> objects, the application can bypass authorization checks and create schema
> objects, users, and permissions.
> Only Derby code should be able to call this powerful method.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
