[jira] Updated: (DERBY-2131) External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs.

Tue, 05 Dec 2006 09:08:48 -0800 

     [ http://issues.apache.org/jira/browse/DERBY-2131?page=all ]

A B updated DERBY-2131:
-----------------------

    Attachment: d2131_10_2.patch

Attaching a patch to port this fix back to 10.2.  I ran the old "xmlSuite" on 
10.2 jars with this patch applied and they ran without problem.  I'm running 
derbyall now just to be safe and will commit the patch to 10.2 if all goes well.

d2131_10_2.patch was created as follows:

svn merge -r 481116:481117 https://svn.apache.org/repos/asf/db/derby/code/trunk

svn merge -r 482302:482303 https://svn.apache.org/repos/asf/db/derby/code/truk

svn diff > d2131_10_2.patch



> External DTD files are accessed without a privileged block when Derby parses 
> XML values that reference such DTDs.
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-2131
>                 URL: http://issues.apache.org/jira/browse/DERBY-2131
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.2.1.6, 10.3.0.0, 10.2.2.0, 10.2.1.8
>            Reporter: A B
>         Assigned To: A B
>             Fix For: 10.3.0.0
>
>         Attachments: d2131_10_2.patch, d2131_rewrite_v1.patch, 
> d2131_rewrite_v2.patch, d2131_v1.patch
>
>
> The Derby XMLPARSE operator ultimately makes a call to an external JAXP 
> parser (ex. Xerces or Crimson) to parse an XML value.  If the XML value that 
> is being parsed references an external DTD, then the JAXP parser will need to 
> read the DTD file to complete parsing.  However, the current code in 
> SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP 
> parser.  As a result, when a user who is running with a security manager 
> tries to insert a document that references an external DTD, the call to 
> XMLPARSE will fail with a security exception--even if the JAXP parser has the 
> required "read" permissions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to