[jira] Updated: (DERBY-4292) creation of FileInputStream in org.apache.derby.impl.tools.ij.Main not wrapped in privilege block which can cause problems running under SecurityManager

[Tiago R. Espinha (JIRA)]

     [ 
https://issues.apache.org/jira/browse/DERBY-4292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tiago R. Espinha updated DERBY-4292:
------------------------------------

    Attachment: DERBY-4292-ReproTest.patch
                DERBY-4292-Fix.patch

I'm submitting two files to this issue. The ReproTest contains a test that 
reproduces the flaw. If this patch is applied and the test is ran *without* the 
fix, it should fail. This acknowledges the existence of the flaw.

The fix simply wraps the 'offending' code in a privilege block, making the 
repro test pass.

There's one issue with the test: since I am invoking ij manually from within 
the fixture, the output gets printed to the console. Does anyone have any 
suggestions to mute this output? We don't really need to see the output since 
we can handle the exception instead, in case it throws one.

It needs also to be noted that the policy file being used is the already 
existent util/derby_tests.policy since it serves the purpose of the test. 
However, a new file (tools/IjSecurityManagerTest.sql) is added that is used to 
reproduce the failure.

> creation of FileInputStream in org.apache.derby.impl.tools.ij.Main not 
> wrapped in privilege  block which can cause problems running under 
> SecurityManager
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-4292
>                 URL: https://issues.apache.org/jira/browse/DERBY-4292
>             Project: Derby
>          Issue Type: Bug
>          Components: Tools
>    Affects Versions: 10.1.3.1, 10.2.2.0, 10.3.2.1, 10.4.2.0, 10.5.1.1, 
> 10.6.0.0
>            Reporter: Kathey Marsden
>            Assignee: Tiago R. Espinha
>         Attachments: DERBY-4292-Fix.patch, DERBY-4292-ReproTest.patch, 
> derby4292.zip
>
>
> org.apache.derby.impl.tools.ij.Main has this code where the call to 
> FileInputStream is not wrapped in a privilege block:
>                    try {
>                         in1 = new FileInputStream(file);
>                         if (in1 != null) {
>                             in1 = new BufferedInputStream(in1, 
> utilMain.BUFFEREDFILESIZE);
>                             in = langUtil.getNewInput(in1);
>                         }
>                     } catch (FileNotFoundException e) {
>                         if (Boolean.getBoolean("ij.searchClassPath")) {
>                             in = 
> langUtil.getNewInput(util.getResourceAsStream(file));
>                         }
> This can cause issues when running under SecurityManager

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.