You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Rick Hillegas (JIRA)" <ji...@apache.org> on 2014/08/25 22:16:57 UTC

[jira] [Updated] (DERBY-6648) Application code should not be able to call ContextService.getContextOrNull()

     [ https://issues.apache.org/jira/browse/DERBY-6648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rick Hillegas updated DERBY-6648:
---------------------------------

    Attachment: derby-6648-01-aa-oneActionList.diff

Attaching derby-6648-01-aa-oneActionList.diff. This is a first rev of a patch for this issue. No tests included.

This patch adds a new action for engine SystemPermissions. In order to get your hands on Derby contexts, you need to grant the engine the following SystemPermission:

  permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";

I have stumbled across an annoying behavior of SystemPermission. It seems that you can only grant your protection domain one kind of engine permission. You have to put all of your engine actions into one permission. So, in order to use the JMX beans as well, you need to grant this composite permission:

  permission org.apache.derby.security.SystemPermission "engine", "monitor,usederbyinternals";

You can't split that up into two engine permissions. The second engine permission overwrites the first one. This fails:

  permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
  permission org.apache.derby.security.SystemPermission "engine", "monitor";



Touches the following files:

M       java/engine/org/apache/derby/iapi/services/context/ContextService.java
M       java/engine/org/apache/derby/iapi/security/SecurityUtil.java
M       java/engine/org/apache/derby/jdbc/EmbeddedDriver.java
M       java/engine/org/apache/derby/security/SystemPermission.java


> Application code should not be able to call ContextService.getContextOrNull()
> -----------------------------------------------------------------------------
>
>                 Key: DERBY-6648
>                 URL: https://issues.apache.org/jira/browse/DERBY-6648
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 10.11.1.1
>            Reporter: Rick Hillegas
>         Attachments: derby-6648-01-aa-oneActionList.diff
>
>
> By calling ContextService.getContextOrNull() (and its relatives), application code can get its hands on all sorts of internal Derby contexts, factories, and managers. This allows application code to bypass SQL authorization checks and perform sensitive or data-corrupting actions.
> For instance, right now an application can use this method to get its hands on the language connection context. From the lcc, the application can get its hands on the data dictionary and the execution transaction. Armed with those objects, the application can bypass authorization checks and create schema objects, users, and permissions.
> Only Derby code should be able to call this powerful method.



--
This message was sent by Atlassian JIRA
(v6.2#6252)