You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by "Richard N. Hillegas (Jira)" <ji...@apache.org> on 2024/03/21 17:39:00 UTC

[jira] [Updated] (DERBY-7161) Document the need for client-side applications to vet user-supplied connection directives

     [ https://issues.apache.org/jira/browse/DERBY-7161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Richard N. Hillegas updated DERBY-7161:
---------------------------------------
    Component/s: Documentation

> Document the need for client-side applications to vet user-supplied connection directives
> -----------------------------------------------------------------------------------------
>
>                 Key: DERBY-7161
>                 URL: https://issues.apache.org/jira/browse/DERBY-7161
>             Project: Derby
>          Issue Type: Task
>          Components: Documentation, Network Client
>    Affects Versions: 10.18.0.0
>            Reporter: Richard N. Hillegas
>            Priority: Major
>
> Somewhere, we should document the fact that client-side applications should not use user-supplied URLs or Properties objects to connect to remote databases. Those URLs and Properties objects may contain instructions for tracing network traffic. If the client-side application runs from a more privileged account than the user, then this could let the user pollute parts of the directory system to which the user does not normally have write-access. Client-side applications should vet all user-supplied directives before establishing connections.
> A related MySQL problem is described by [1].
> [1] https://github.com/apache/security-site/compare/main...raboof:security-site:mysql



--
This message was sent by Atlassian Jira
(v8.20.10#820010)