[jira] Updated: (DERBY-2131) External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs.

Wed, 29 Nov 2006 15:11:42 -0800 

     [ http://issues.apache.org/jira/browse/DERBY-2131?page=all ]

A B updated DERBY-2131:
-----------------------

    Attachment: d2131_v1.patch

Attaching a patch, d2131_v1.patch, that wraps the call to JAXP inside a 
priveleged block.  I ran tests with some local (soon-to-be-posted) changes for 
DERBY-1758 to confirm that the patch solves the reported problem (i.e. that 
assignment of "read" permission to the JAXP parser allows successful execution 
of XMLPARSE).  I also ran derbyall on Red Hat Linux using ibm142 with no 
failures.  The "XMLSuite" JUnit suite also ran without error.

The patch doesn't include any tests; however, relevant test cases will be 
enabled as part of DERBY-1758 to verify the behavior.

I am very new to the notion of security managers and privileged blocks, so 
while this is a small patch, I would appreciate it if someone could review it 
to make sure that the changes make sense...

> External DTD files are accessed without a privileged block when Derby parses 
> XML values that reference such DTDs.
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-2131
>                 URL: http://issues.apache.org/jira/browse/DERBY-2131
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.2.1.6, 10.3.0.0, 10.2.2.0, 10.2.1.8
>            Reporter: A B
>         Assigned To: A B
>         Attachments: d2131_v1.patch
>
>
> The Derby XMLPARSE operator ultimately makes a call to an external JAXP 
> parser (ex. Xerces or Crimson) to parse an XML value.  If the XML value that 
> is being parsed references an external DTD, then the JAXP parser will need to 
> read the DTD file to complete parsing.  However, the current code in 
> SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP 
> parser.  As a result, when a user who is running with a security manager 
> tries to insert a document that references an external DTD, the call to 
> XMLPARSE will fail with a security exception--even if the JAXP parser has the 
> required "read" permissions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to