[ http://issues.apache.org/jira/browse/DERBY-2131?page=all ]
A B resolved DERBY-2131.
------------------------
Fix Version/s: 10.2.2.0
Resolution: Fixed
derbyall ran cleanly with 10.2 jars after applying this patch. And the XML
tests in suites.xmlSuite all ran cleanly, as well. So I committed
d2131_10_2.patch with svn 482837.
> External DTD files are accessed without a privileged block when Derby parses
> XML values that reference such DTDs.
> -----------------------------------------------------------------------------------------------------------------
>
> Key: DERBY-2131
> URL: http://issues.apache.org/jira/browse/DERBY-2131
> Project: Derby
> Issue Type: Bug
> Components: SQL
> Affects Versions: 10.2.1.6, 10.2.1.8, 10.2.2.0, 10.3.0.0
> Reporter: A B
> Assigned To: A B
> Fix For: 10.2.2.0, 10.3.0.0
>
> Attachments: d2131_10_2.patch, d2131_rewrite_v1.patch,
> d2131_rewrite_v2.patch, d2131_v1.patch
>
>
> The Derby XMLPARSE operator ultimately makes a call to an external JAXP
> parser (ex. Xerces or Crimson) to parse an XML value. If the XML value that
> is being parsed references an external DTD, then the JAXP parser will need to
> read the DTD file to complete parsing. However, the current code in
> SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP
> parser. As a result, when a user who is running with a security manager
> tries to insert a document that references an external DTD, the call to
> XMLPARSE will fail with a security exception--even if the JAXP parser has the
> required "read" permissions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
