You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Knut Anders Hatlen (JIRA)" <ji...@apache.org> on 2014/06/23 15:51:25 UTC
[jira] [Updated] (DERBY-6629) Restrict privileged operation in
CreateXMLFile
[ https://issues.apache.org/jira/browse/DERBY-6629?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Knut Anders Hatlen updated DERBY-6629:
--------------------------------------
Attachment: d6629-1a.diff
Attaching [^d6629-1a.diff] which fixes the issue by making the createTheXMLFile() take a Writer as argument instead of a file name, so that it doesn't need a privileged block to create a Writer. Instead, the privileged block is now with the caller of createTheXMLFile(), which is a private method in PlanExporter. This prevents unprivileged code from invoking the privileged operation without going through the PlanExporter's public interface.
XplainStatisticsTest actually called this method in order to test certain aspects of the plan exporter. I've now changed the test to use PlanExporter's public interface instead of calling internal methods.
All the regression tests passed with the patch.
> Restrict privileged operation in CreateXMLFile
> ----------------------------------------------
>
> Key: DERBY-6629
> URL: https://issues.apache.org/jira/browse/DERBY-6629
> Project: Derby
> Issue Type: Bug
> Components: Tools
> Affects Versions: 10.10.2.0
> Reporter: Knut Anders Hatlen
> Assignee: Knut Anders Hatlen
> Attachments: d6629-1a.diff
>
>
> The PlanExporter tool has a public method CreateXMLFile.writeTheXMLFile(). This method opens a FileOutputStream in a privileged block. We should change this so that unprivileged code cannot use the method to write files using derbytools.jar's privileges.
--
This message was sent by Atlassian JIRA
(v6.2#6252)