[
https://issues.apache.org/jira/browse/DERBY-7161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17834550#comment-17834550
]
Bryan Pendleton commented on DERBY-7161:
----------------------------------------
Yes, those seem good.
Perhaps also put links to the information in these places?
* [https://db.apache.org/derby/docs/10.17/ref/rrefattrib24612.html]
* https://db.apache.org/derby/docs/10.17/devguide/cdevdvlp51654.html
> Document the need for client-side applications to vet user-supplied
> connection directives
> -----------------------------------------------------------------------------------------
>
> Key: DERBY-7161
> URL: https://issues.apache.org/jira/browse/DERBY-7161
> Project: Derby
> Issue Type: Task
> Components: Documentation, Network Client
> Affects Versions: 10.18.0.0
> Reporter: Richard N. Hillegas
> Priority: Major
>
> Somewhere, we should document the fact that client-side applications should
> not use user-supplied URLs or Properties objects to connect to remote
> databases. Those URLs and Properties objects may contain instructions for
> tracing network traffic. If the client-side application runs from a more
> privileged account than the user, then this could let the user pollute parts
> of the directory system to which the user does not normally have
> write-access. Client-side applications should vet all user-supplied
> directives before establishing connections.
> A related MySQL problem is described by [1].
> [1]
> https://github.com/apache/security-site/compare/main...raboof:security-site:mysql
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
