[
https://issues.apache.org/jira/browse/DERBY-7161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17834537#comment-17834537
]
Bryan Pendleton commented on DERBY-7161:
----------------------------------------
Hi Rick, have you thought much about where we might best document this?
My thought is that we might put such documentation in multiple places to give
it the best chance of being seen.
> Document the need for client-side applications to vet user-supplied
> connection directives
> -----------------------------------------------------------------------------------------
>
> Key: DERBY-7161
> URL: https://issues.apache.org/jira/browse/DERBY-7161
> Project: Derby
> Issue Type: Task
> Components: Documentation, Network Client
> Affects Versions: 10.18.0.0
> Reporter: Richard N. Hillegas
> Priority: Major
>
> Somewhere, we should document the fact that client-side applications should
> not use user-supplied URLs or Properties objects to connect to remote
> databases. Those URLs and Properties objects may contain instructions for
> tracing network traffic. If the client-side application runs from a more
> privileged account than the user, then this could let the user pollute parts
> of the directory system to which the user does not normally have
> write-access. Client-side applications should vet all user-supplied
> directives before establishing connections.
> A related MySQL problem is described by [1].
> [1]
> https://github.com/apache/security-site/compare/main...raboof:security-site:mysql
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
