You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Rick Hillegas (JIRA)" <ji...@apache.org> on 2014/07/10 18:56:04 UTC
[jira] [Resolved] (DERBY-6616) User procedures can call system
procedures, circumventing SQL authorization.
[ https://issues.apache.org/jira/browse/DERBY-6616?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rick Hillegas resolved DERBY-6616.
----------------------------------
Resolution: Fixed
> User procedures can call system procedures, circumventing SQL authorization.
> ----------------------------------------------------------------------------
>
> Key: DERBY-6616
> URL: https://issues.apache.org/jira/browse/DERBY-6616
> Project: Derby
> Issue Type: Bug
> Components: SQL
> Affects Versions: 10.11.0.0
> Reporter: Rick Hillegas
> Assignee: Rick Hillegas
> Attachments: SystemProcWrapper.java, derby-6616-01-ad-reauthorize.diff
>
>
> System procedures are implemented as public static methods in org.apache.derby.catalog.SystemProcedures. These methods can be called by code in user-written procedures. This allows a user-written procedure to circumvent the SQL authorization checks which are supposed to limit some procedures to being called only by the DBO. I will attach a repro.
--
This message was sent by Atlassian JIRA
(v6.2#6252)