External DTD files are accessed without a privileged block when Derby parses
XML values that reference such DTDs.
-----------------------------------------------------------------------------------------------------------------
Key: DERBY-2131
URL: http://issues.apache.org/jira/browse/DERBY-2131
Project: Derby
Issue Type: Bug
Components: SQL
Affects Versions: 10.2.1.6, 10.2.1.8, 10.2.2.0, 10.3.0.0
Reporter: A B
Assigned To: A B
The Derby XMLPARSE operator ultimately makes a call to an external JAXP parser
(ex. Xerces or Crimson) to parse an XML value. If the XML value that is being
parsed references an external DTD, then the JAXP parser will need to read the
DTD file to complete parsing. However, the current code in SqlXmlUtil.java
does not use a privileged block when it calls out to the JAXP parser. As a
result, when a user who is running with a security manager tries to insert a
document that references an external DTD, the call to XMLPARSE will fail with a
security exception--even if the JAXP parser has the required "read" permissions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
