[jira] Updated: (DERBY-4292) creation of FileInputStream in org.apache.derby.impl.tools.ij.Main not wrapped in privilege block which can cause problems running under SecurityManager

Wed, 08 Jul 2009 11:55:39 -0700 

     [ 
https://issues.apache.org/jira/browse/DERBY-4292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tiago R. Espinha updated DERBY-4292:
------------------------------------

    Attachment: DERBY-4292-ReproTest.patch
                DERBY-4292-Fix.patch

Attaching a new fix and repro test that takes Kathey's comments into 
consideration.

- Add Apache licence header to new files -  CHECK
- For your privilege block in Main.java, use PrivilegedExceptionAction instead 
of PrivilegedAction so you can throw the original exception instead of creating 
a new one if the file is not found. See 
PrivilegedFileOpsForTests.getFileOutputStream() for an example. - CHECK
- In the test if it is using the standard policy file, why do we need to copy 
it to a special one for this test? - CHECK
- The test should be added to a suite. - CHECK
- I would keep the same name when copying IjSecurityManagerTest.sql - CHECK
- Regarding the output I am not sure the best way to handle it. There is 
System.setOut that could be set and restored, but that seems extreme. I will 
think about it.  - CHECK

Please note that both patches have to be committed. One is the repro test that 
makes the bug show, the other is the fix to patch it.

> creation of FileInputStream in org.apache.derby.impl.tools.ij.Main not 
> wrapped in privilege  block which can cause problems running under 
> SecurityManager
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-4292
>                 URL: https://issues.apache.org/jira/browse/DERBY-4292
>             Project: Derby
>          Issue Type: Bug
>          Components: Tools
>    Affects Versions: 10.1.3.1, 10.2.2.0, 10.3.2.1, 10.4.2.0, 10.5.1.1, 
> 10.6.0.0
>            Reporter: Kathey Marsden
>            Assignee: Tiago R. Espinha
>         Attachments: DERBY-4292-Fix.patch, DERBY-4292-Fix.patch, 
> DERBY-4292-ReproTest.patch, DERBY-4292-ReproTest.patch, derby4292.zip
>
>
> org.apache.derby.impl.tools.ij.Main has this code where the call to 
> FileInputStream is not wrapped in a privilege block:
>                    try {
>                         in1 = new FileInputStream(file);
>                         if (in1 != null) {
>                             in1 = new BufferedInputStream(in1, 
> utilMain.BUFFEREDFILESIZE);
>                             in = langUtil.getNewInput(in1);
>                         }
>                     } catch (FileNotFoundException e) {
>                         if (Boolean.getBoolean("ij.searchClassPath")) {
>                             in = 
> langUtil.getNewInput(util.getResourceAsStream(file));
>                         }
> This can cause issues when running under SecurityManager

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to