[
https://issues.apache.org/jira/browse/DERBY-3477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573594#action_12573594
]
Daniel John Debrunner commented on DERBY-3477:
----------------------------------------------
I think this work-around in the current format permission handling introduces a
security hole:
+ principals.add(new SystemPrincipal(user));
+ principals.add(new SystemPrincipal(getAuthorizationId(user)));
This jumps out as wrong to me as SystemPrincipal is being passed a user names
in two forms, one in a string form that corresponds to a SQL identifier format
(including support for delimited identifiers), the other in a
common-normal-form. Any time one passes different concepts to the same code
it's a recipe for bugs.
Say the user name is a delimited identifier, user="fred", e.g. in a java
program the URL might look like:
String url = "jdbc:derby:db;user=\"fred\";password=8dkkw";
then the common form of the name is fred. Then the Subject has two
SystemPrincipals "fred" and fred.
Now a grant in the policy file of
grant principal org.apache.derby.authentication.SystemPrincipal "fred";
will successfully grant the permission to this user. Though the intention is
that the permission is granted to the authentication id that has FRED as its
cnf.
Now lets see what happens is the user=fred, ie.
String url = "jdbc:derby:db;user=fred;password=de7343";
thus it has a cnf of FRED. Thus the subject has two SystemPrincipals, fred and
FRED
Now that previous grant also works for this user.
Thus a single grant that was intended for a single user actually satisfies two
users, that's a security hole.
> Make format principal names in SystemPermission (e.g. policy files) match the
> standard way Derby handles authorization identifiers in a Java context.
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DERBY-3477
> URL: https://issues.apache.org/jira/browse/DERBY-3477
> Project: Derby
> Issue Type: Sub-task
> Components: Security
> Reporter: Daniel John Debrunner
>
> Expected format described in:
> https://issues.apache.org/jira/browse/DERBY-2109?focusedCommentId=12561537#action_12561537
>
> Comments in DERBY--2109 around patch 10 indicate some issue around
> implementing this, it would be good to see the code that attempted to
> implement it to help figure out the problem.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
