[jira] Commented: (DERBY-2925) Prevent export from overwriting existing files

Thu, 26 Jul 2007 11:39:26 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-2925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12515826
 ] 

Kathey Marsden commented on DERBY-2925:
---------------------------------------

Ramin, do you think the issue is that we now need read permission for  the 
extout directory in the policy file, so we can determine if the file exists? 
e.g.

Index: 
java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy
===================================================================
--- java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy  
(revision 559646)
+++ java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy  
(working copy)
@@ -70,7 +70,7 @@
   // Import/export and other support files from these locations in tests
   permission java.io.FilePermission "${user.dir}${/}extin${/}-", "read";
   permission java.io.FilePermission "${user.dir}${/}extinout${/}-", "read,  
write, delete";
-  permission java.io.FilePermission "${user.dir}${/}extout${/}-", "write";
+  permission java.io.FilePermission "${user.dir}${/}extout${/}-", "read,write";
   permission java.io.FilePermission "${user.dir}${/}extinout", "read,write";

   // These permissions are needed to load the JCE for encryption with Sun and 
IBM JDK131.
[C:/svn2/trunk]

Kathey


> Prevent export from overwriting existing files
> ----------------------------------------------
>
>                 Key: DERBY-2925
>                 URL: https://issues.apache.org/jira/browse/DERBY-2925
>             Project: Derby
>          Issue Type: Sub-task
>          Components: Security, Tools
>    Affects Versions: 10.1.2.1, 10.2.2.0, 10.3.1.3, 10.4.0.0
>            Reporter: Kathey Marsden
>            Assignee: Ramin Moazeni
>         Attachments: DERBY-2925v0.diff, DERBY-2925v0.stat, DERBY-2925v1.diff, 
> DERBY-2925v1.stat, DERBY-2925v2.diff, DERBY-2925v2.stat, DERBY-2925v3.diff, 
> DERBY-2925v3.stat, releaseNotev0.html
>
>
> Export should not overwrite existing files, but rather insist that the user 
> remove them before writing to the file.  This will help prevent accidental or 
> intentional corruption of the database with export.  This may introduce a 
> compatibility issue with export but because export is usually an attended 
> utility and not typically invoked as part of an application, I think the risk 
> is worth the additional security this will provide.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to