[jira] Updated: (DERBY-2131) External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs.

Fri, 01 Dec 2006 09:58:43 -0800 

     [ http://issues.apache.org/jira/browse/DERBY-2131?page=all ]

A B updated DERBY-2131:
-----------------------

    Attachment: d2131_rewrite_v1.patch

Attaching a second patch, d2131_rewrite_v1.patch, that rewrites the privileged 
block (which has already been committed) to account for Dan's suggestions.

Regarding "you probably want to catch the PrivilegedExceptionAction and unwrap 
it. ".  I did some quick looking at other places in the Derby code where 
PrivilegedExceptions are caught and it seems like unwrapping the exception is 
simply a matter of using the result of "PrivilegedException.getException()"--so 
in this case, we throw the result of "getException()" instead of throwing the 
PrivilegedException itself.

If this was too simple of an interpretation (ex. if the unwrapping needs to be 
more extensive or should be selective to i/o errors), please let me know and I 
can try again...

> External DTD files are accessed without a privileged block when Derby parses 
> XML values that reference such DTDs.
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-2131
>                 URL: http://issues.apache.org/jira/browse/DERBY-2131
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.2.1.6, 10.3.0.0, 10.2.2.0, 10.2.1.8
>            Reporter: A B
>         Assigned To: A B
>             Fix For: 10.3.0.0
>
>         Attachments: d2131_rewrite_v1.patch, d2131_v1.patch
>
>
> The Derby XMLPARSE operator ultimately makes a call to an external JAXP 
> parser (ex. Xerces or Crimson) to parse an XML value.  If the XML value that 
> is being parsed references an external DTD, then the JAXP parser will need to 
> read the DTD file to complete parsing.  However, the current code in 
> SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP 
> parser.  As a result, when a user who is running with a security manager 
> tries to insert a document that references an external DTD, the call to 
> XMLPARSE will fail with a security exception--even if the JAXP parser has the 
> required "read" permissions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to