[
https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543706
]
Rick Hillegas commented on DERBY-3083:
--------------------------------------
Thanks for the clarification, Dan. By "private to Derby" I mean that the
properties cannot be overridden by any scheme that I'm aware of. For instance,
someone could try to override the properties on the boot command line--but
these overrides would be ignored because Derby would forcibly set the
properties to values it calculated.
Fixing DERBY-2362 could reduce the vulnerability. However, I don't understand
how to fix DERBY-2362. The solutions which come to my mind seem to have the
same small windows of vulnerability which we're discussing here. If we could
figure out how those windows could in fact be exploited then we might be able
to talk about a solution.
As you note, if there is a way to exploit this window, then it can be used to
subvert the value of "derby.install.url" today. The incremental exposure seems
very small to me.
> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>
> Key: DERBY-3083
> URL: https://issues.apache.org/jira/browse/DERBY-3083
> Project: Derby
> Issue Type: Bug
> Components: Tools
> Affects Versions: 10.3.1.4
> Reporter: Aaron Digulla
> Attachments: derby-716-10-datatypesCollation-aa.diff
>
>
> The network server will not start if the derbynet jar is added under a
> different name than "derbynet.jar" to the classpath. This makes it impossible
> to use it in maven projects where the jar is renamed to
> "derbynet-10.3.1.4.jar".
> This did work with 10.2.2.0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
