[
https://issues.apache.org/jira/browse/DERBY-7161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17841009#comment-17841009
]
Bryan Pendleton commented on DERBY-7161:
----------------------------------------
Thanks Rick. The doc changes look good to me.
> Document the need for client-side applications to vet user-supplied
> connection directives
> -----------------------------------------------------------------------------------------
>
> Key: DERBY-7161
> URL: https://issues.apache.org/jira/browse/DERBY-7161
> Project: Derby
> Issue Type: Task
> Components: Documentation, Network Client
> Affects Versions: 10.18.0.0
> Reporter: Richard N. Hillegas
> Priority: Major
> Attachments: derby-7161-01-aa-traceFileAttributes.diff,
> derby-7161-01-aa-traceFileAttributes.tar
>
>
> Somewhere, we should document the fact that client-side applications should
> not use user-supplied URLs or Properties objects to connect to remote
> databases. Those URLs and Properties objects may contain instructions for
> tracing network traffic. If the client-side application runs from a more
> privileged account than the user, then this could let the user pollute parts
> of the directory system to which the user does not normally have
> write-access. Client-side applications should vet all user-supplied
> directives before establishing connections.
> A related MySQL problem is described by [1].
> [1]
> https://github.com/apache/security-site/compare/main...raboof:security-site:mysql
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
