You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by "A B (JIRA)" <ji...@apache.org> on 2006/11/30 00:11:22 UTC

[jira] Updated: (DERBY-2131) External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs.

     [ http://issues.apache.org/jira/browse/DERBY-2131?page=all ]

A B updated DERBY-2131:
-----------------------

    Attachment: d2131_v1.patch

Attaching a patch, d2131_v1.patch, that wraps the call to JAXP inside a priveleged block.  I ran tests with some local (soon-to-be-posted) changes for DERBY-1758 to confirm that the patch solves the reported problem (i.e. that assignment of "read" permission to the JAXP parser allows successful execution of XMLPARSE).  I also ran derbyall on Red Hat Linux using ibm142 with no failures.  The "XMLSuite" JUnit suite also ran without error.

The patch doesn't include any tests; however, relevant test cases will be enabled as part of DERBY-1758 to verify the behavior.

I am very new to the notion of security managers and privileged blocks, so while this is a small patch, I would appreciate it if someone could review it to make sure that the changes make sense...

> External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs.
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-2131
>                 URL: http://issues.apache.org/jira/browse/DERBY-2131
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.2.1.6, 10.3.0.0, 10.2.2.0, 10.2.1.8
>            Reporter: A B
>         Assigned To: A B
>         Attachments: d2131_v1.patch
>
>
> The Derby XMLPARSE operator ultimately makes a call to an external JAXP parser (ex. Xerces or Crimson) to parse an XML value.  If the XML value that is being parsed references an external DTD, then the JAXP parser will need to read the DTD file to complete parsing.  However, the current code in SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP parser.  As a result, when a user who is running with a security manager tries to insert a document that references an external DTD, the call to XMLPARSE will fail with a security exception--even if the JAXP parser has the required "read" permissions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira