[
https://issues.apache.org/jira/browse/DERBY-6648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rick Hillegas updated DERBY-6648:
---------------------------------
Attachment: releaseNote.html
Attaching a new version of the release note which says that the new
usederbyinternals permission must be granted to derbynet.jar and
derbyoptionaltools.jar too.
> Application code should not be able to call ContextService.getContextOrNull()
> -----------------------------------------------------------------------------
>
> Key: DERBY-6648
> URL: https://issues.apache.org/jira/browse/DERBY-6648
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Assignee: Rick Hillegas
> Attachments: derby-6648-01-aa-oneActionList.diff,
> derby-6648-01-ab-rototill1.diff, derby-6648-01-ad-rototill1.diff,
> derby-6648-01-ae-regressionTests.diff,
> derby-6648-02-aa-packagePrivateTests.diff, derby-6648-03-aa-monitor.diff,
> derby-6648-03-ab-monitor.diff, derby-6648-03-ac-monitor.diff,
> releaseNote.html, releaseNote.html
>
>
> By calling ContextService.getContextOrNull() (and its relatives), application
> code can get its hands on all sorts of internal Derby contexts, factories,
> and managers. This allows application code to bypass SQL authorization checks
> and perform sensitive or data-corrupting actions.
> For instance, right now an application can use this method to get its hands
> on the language connection context. From the lcc, the application can get its
> hands on the data dictionary and the execution transaction. Armed with those
> objects, the application can bypass authorization checks and create schema
> objects, users, and permissions.
> Only Derby code should be able to call this powerful method.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
