[jira] [Updated] (DERBY-7161) Document the need for client-side applications to vet user-supplied connection directives
[ https://issues.apache.org/jira/browse/DERBY-7161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Richard N. Hillegas updated DERBY-7161: --- Attachment: derby-7161-01-aa-traceFileAttributes.tar > Document the need for client-side applications to vet user-supplied > connection directives > - > > Key: DERBY-7161 > URL: https://issues.apache.org/jira/browse/DERBY-7161 > Project: Derby > Issue Type: Task > Components: Documentation, Network Client >Affects Versions: 10.18.0.0 >Reporter: Richard N. Hillegas >Priority: Major > Attachments: derby-7161-01-aa-traceFileAttributes.diff, > derby-7161-01-aa-traceFileAttributes.tar > > > Somewhere, we should document the fact that client-side applications should > not use user-supplied URLs or Properties objects to connect to remote > databases. Those URLs and Properties objects may contain instructions for > tracing network traffic. If the client-side application runs from a more > privileged account than the user, then this could let the user pollute parts > of the directory system to which the user does not normally have > write-access. Client-side applications should vet all user-supplied > directives before establishing connections. > A related MySQL problem is described by [1]. > [1] > https://github.com/apache/security-site/compare/main...raboof:security-site:mysql -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7161) Document the need for client-side applications to vet user-supplied connection directives
[
https://issues.apache.org/jira/browse/DERBY-7161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17840245#comment-17840245
]
Richard N. Hillegas commented on DERBY-7161:
Attaching derby-7161-01-aa-traceFileAttributes.diff. This patch adds some
documentation which warns users about the security implications of the trace
file connection attributes. Also attaching
derby-7161-01-aa-traceFileAttributes.tar, a tarball of corresponding generated
output.
Touches the following files:
{noformat}
M src/adminguide/cadminappsclient.dita
Adds a warning to the Admin Guide's "Accessing the Network Server by using the
network client driver" topic.
M src/devguide/cdevdvlp51654.dita
Adds a warning to the Developer's Guide's "Working with the database connection
URL attributes" topic.
M src/ref/rrefattrib24612.dita
Adds a warning to the Reference Guide's "Setting attributes for the database
connection URL" topic.
M src/security/csecintrosafer.dita
Adds a warning to the Security Guide's "Designing safer Derby applications"
topic.
{noformat}
> Document the need for client-side applications to vet user-supplied
> connection directives
> -
>
> Key: DERBY-7161
> URL: https://issues.apache.org/jira/browse/DERBY-7161
> Project: Derby
> Issue Type: Task
> Components: Documentation, Network Client
>Affects Versions: 10.18.0.0
>Reporter: Richard N. Hillegas
>Priority: Major
> Attachments: derby-7161-01-aa-traceFileAttributes.diff,
> derby-7161-01-aa-traceFileAttributes.tar
>
>
> Somewhere, we should document the fact that client-side applications should
> not use user-supplied URLs or Properties objects to connect to remote
> databases. Those URLs and Properties objects may contain instructions for
> tracing network traffic. If the client-side application runs from a more
> privileged account than the user, then this could let the user pollute parts
> of the directory system to which the user does not normally have
> write-access. Client-side applications should vet all user-supplied
> directives before establishing connections.
> A related MySQL problem is described by [1].
> [1]
> https://github.com/apache/security-site/compare/main...raboof:security-site:mysql
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (DERBY-7161) Document the need for client-side applications to vet user-supplied connection directives
[ https://issues.apache.org/jira/browse/DERBY-7161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Richard N. Hillegas updated DERBY-7161: --- Attachment: derby-7161-01-aa-traceFileAttributes.diff > Document the need for client-side applications to vet user-supplied > connection directives > - > > Key: DERBY-7161 > URL: https://issues.apache.org/jira/browse/DERBY-7161 > Project: Derby > Issue Type: Task > Components: Documentation, Network Client >Affects Versions: 10.18.0.0 >Reporter: Richard N. Hillegas >Priority: Major > Attachments: derby-7161-01-aa-traceFileAttributes.diff > > > Somewhere, we should document the fact that client-side applications should > not use user-supplied URLs or Properties objects to connect to remote > databases. Those URLs and Properties objects may contain instructions for > tracing network traffic. If the client-side application runs from a more > privileged account than the user, then this could let the user pollute parts > of the directory system to which the user does not normally have > write-access. Client-side applications should vet all user-supplied > directives before establishing connections. > A related MySQL problem is described by [1]. > [1] > https://github.com/apache/security-site/compare/main...raboof:security-site:mysql -- This message was sent by Atlassian Jira (v8.20.10#820010)
