[jira] Updated: (DERBY-4292) creation of FileInputStream in org.apache.derby.impl.tools.ij.Main not wrapped in privilege block which can cause problems running under SecurityManager

Wed, 01 Jul 2009 16:03:18 -0700 

     [ 
https://issues.apache.org/jira/browse/DERBY-4292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kathey Marsden updated DERBY-4292:
----------------------------------

    Attachment: derby4292.zip

The problem occurs when you specify a file to run on the ij command line when 
running under security manager.

Attached is a reproduction for this issue.   Unzip derby4292.zip. Change run.sh 
to point to your location and run run.sh.


With the Sun JDK 1.6 JDK I get.
Exception in thread "main" java.security.AccessControlException: access denied 
(java.io.FilePermission repro.sql read)
        at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
        at 
java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
        at java.io.FileInputStream.<init>(FileInputStream.java:100)
        at java.io.FileInputStream.<init>(FileInputStream.java:66)
        at org.apache.derby.impl.tools.ij.Main.mainCore(Main.java:117)
        at org.apache.derby.impl.tools.ij.Main.main(Main.java:73)
        at org.apache.derby.tools.ij.main(ij.java:59)

With IBM 1.6 I don't get an error but I think that is due to an IBM jvm bug 
which I will file soon.



> creation of FileInputStream in org.apache.derby.impl.tools.ij.Main not 
> wrapped in privilege  block which can cause problems running under 
> SecurityManager
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-4292
>                 URL: https://issues.apache.org/jira/browse/DERBY-4292
>             Project: Derby
>          Issue Type: Bug
>          Components: Tools
>    Affects Versions: 10.1.3.1, 10.2.2.0, 10.3.2.1, 10.4.2.0, 10.5.1.1, 
> 10.6.0.0
>            Reporter: Kathey Marsden
>            Assignee: Tiago R. Espinha
>         Attachments: derby4292.zip
>
>
> org.apache.derby.impl.tools.ij.Main has this code where the call to 
> FileInputStream is not wrapped in a privilege block:
>                    try {
>                         in1 = new FileInputStream(file);
>                         if (in1 != null) {
>                             in1 = new BufferedInputStream(in1, 
> utilMain.BUFFEREDFILESIZE);
>                             in = langUtil.getNewInput(in1);
>                         }
>                     } catch (FileNotFoundException e) {
>                         if (Boolean.getBoolean("ij.searchClassPath")) {
>                             in = 
> langUtil.getNewInput(util.getResourceAsStream(file));
>                         }
> This can cause issues when running under SecurityManager

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to