[
https://issues.apache.org/jira/browse/DERBY-4292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12728965#action_12728965
]
Kathey Marsden commented on DERBY-4292:
---------------------------------------
Well it seems with your new patch we don't have a problem running under
security manger when we hit the Boolean.getBoolean() call so I guess it is ok.
The javadoc also indicates that no checks are done. I don't know why.
http://java.sun.com/javase/6/docs/api/java/lang/System.html#getProperty(java.lang.String)
I verified that ij.searchClassPath is working ok by running:
java -Dderby.system.home=C:/kmarsden/repro/derby-4292
-Dij.searchClassPath=true -Djava.security.manager
-DderbyTesting.codejar=file:/C:/svn4/trunk/jars/sane/
-Djava.security.policy=C:/kmarsden/repro/derby-4292/derby_tests.policy
org.apache.derby.tools.ij
/org/apache/derbyTesting/functionTests/tests/tools/IjSecurityManagerTest.sql
If I specify a resource that doesn't exist with ij.searchClassPath I get a
pre-existing NPE:
Exception in thread "main" java.lang.NullPointerException
at java.io.Reader.<init>(Reader.java:61)
at java.io.InputStreamReader.<init>(InputStreamReader.java:55)
at
org.apache.derby.iapi.tools.i18n.LocalizedInput.<init>(LocalizedInput.java:32)
at
org.apache.derby.iapi.tools.i18n.LocalizedResource.getNewInput(LocalizedResource.java:241)
at org.apache.derby.impl.tools.ij.Main.mainCore(Main.java:131)
at org.apache.derby.impl.tools.ij.Main.main(Main.java:75)
at org.apache.derby.tools.ij.main(ij.java:59)
I don't know if that needs a bug since we don't seem to document this property.
As an aside, I don't like the way ij just prints the error to the output and
returns instead of throwing an exception. This means it won't exit with an
error code if it can't find the file.
[C:/kmarsden/repro/derby-4292] java org.apache.derby.tools.ij notthere.sql
IJ ERROR: file not found: notthere.sql
[C:/kmarsden/repro/derby-4292] echo $?
0
That too is preexisting.
So with regard to your patch I think the fix looks fine. For the test patch you
should remove the SecurityManager setup, and add a test if the file does not
exist, and add the header to the sql file.
> creation of FileInputStream in org.apache.derby.impl.tools.ij.Main not
> wrapped in privilege block which can cause problems running under
> SecurityManager
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DERBY-4292
> URL: https://issues.apache.org/jira/browse/DERBY-4292
> Project: Derby
> Issue Type: Bug
> Components: Tools
> Affects Versions: 10.1.3.1, 10.2.2.0, 10.3.2.1, 10.4.2.0, 10.5.1.1,
> 10.6.0.0
> Reporter: Kathey Marsden
> Assignee: Tiago R. Espinha
> Attachments: DERBY-4292-Fix.patch, DERBY-4292-Fix.patch,
> DERBY-4292-Fix.patch, DERBY-4292-ReproTest.patch, DERBY-4292-ReproTest.patch,
> derby4292.zip, run.out.debugall
>
>
> org.apache.derby.impl.tools.ij.Main has this code where the call to
> FileInputStream is not wrapped in a privilege block:
> try {
> in1 = new FileInputStream(file);
> if (in1 != null) {
> in1 = new BufferedInputStream(in1,
> utilMain.BUFFEREDFILESIZE);
> in = langUtil.getNewInput(in1);
> }
> } catch (FileNotFoundException e) {
> if (Boolean.getBoolean("ij.searchClassPath")) {
> in =
> langUtil.getNewInput(util.getResourceAsStream(file));
> }
> This can cause issues when running under SecurityManager
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
