You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Rick Hillegas (JIRA)" <ji...@apache.org> on 2014/09/19 21:16:33 UTC
[jira] [Updated] (DERBY-6654) Require that generated code live in
the org.apache.derby.exe package.
[ https://issues.apache.org/jira/browse/DERBY-6654?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rick Hillegas updated DERBY-6654:
---------------------------------
Attachment: derby-6654-01-aa-requireCorrectPackage.diff
Attaching derby-6654-01-aa-requireCorrectPackage.diff. This patch adds a check to the class loader for generated byte code to verify that the class lives in the org.apache.derby.exe package. I will run tests.
Touches the following files:
------------
M java/engine/org/apache/derby/impl/services/reflect/ReflectClassesJava2.java
Added the check.
------------
M java/testing/org/apache/derbyTesting/functionTests/tests/lang/_Suite.java
A java/testing/org/apache/derbyTesting/functionTests/tests/lang/ClassLoadingTest.java
Test for this behavior.
> Require that generated code live in the org.apache.derby.exe package.
> ---------------------------------------------------------------------
>
> Key: DERBY-6654
> URL: https://issues.apache.org/jira/browse/DERBY-6654
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Assignee: Rick Hillegas
> Attachments: derby-6654-01-aa-requireCorrectPackage.diff
>
>
> We require that generated code must implement Activation. This helps prevent applications from using Derby's class loaders to load arbitrary classes. We should also require that generated code live in the org.apache.derby.exe package. This will prevent applications from loading highly privileged code using Derby class loaders.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)