[ http://issues.apache.org/jira/browse/DERBY-2131?page=all ]
A B closed DERBY-2131. ---------------------- No further issues/comments after the changes were committed, so marking this as closed. > External DTD files are accessed without a privileged block when Derby parses > XML values that reference such DTDs. > ----------------------------------------------------------------------------------------------------------------- > > Key: DERBY-2131 > URL: http://issues.apache.org/jira/browse/DERBY-2131 > Project: Derby > Issue Type: Bug > Components: SQL > Affects Versions: 10.2.1.6, 10.2.1.8, 10.2.2.0, 10.3.0.0 > Reporter: A B > Assigned To: A B > Fix For: 10.3.0.0, 10.2.2.0 > > Attachments: d2131_10_2.patch, d2131_rewrite_v1.patch, > d2131_rewrite_v2.patch, d2131_v1.patch > > > The Derby XMLPARSE operator ultimately makes a call to an external JAXP > parser (ex. Xerces or Crimson) to parse an XML value. If the XML value that > is being parsed references an external DTD, then the JAXP parser will need to > read the DTD file to complete parsing. However, the current code in > SqlXmlUtil.java does not use a privileged block when it calls out to the JAXP > parser. As a result, when a user who is running with a security manager > tries to insert a document that references an external DTD, the call to > XMLPARSE will fail with a security exception--even if the JAXP parser has the > required "read" permissions. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
