[jira] Updated: (DERBY-4292) creation of FileInputStream in org.apache.derby.impl.tools.ij.Main not wrapped in privilege block which can cause problems running under SecurityManager

Thu, 09 Jul 2009 03:55:43 -0700 

     [ 
https://issues.apache.org/jira/browse/DERBY-4292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tiago R. Espinha updated DERBY-4292:
------------------------------------

    Attachment: DERBY-4292-ReproTest.patch

I'm attaching the latest patch to this issue.

Kathey said:
> "...and add a test if the file does not exist..."
Is this really necessary? If the file does not exist in the Derby code tree, 
the SupportFilesSetup will blow up on its own, and if it does exist there, then 
it is safe to say that it will exist in the extinout folder.

If anything, I think we can later on change that ij behavior and make it throw 
an exception rather than an error message, so that the test fails when the file 
does not exist.

What I'm thinking is that by putting such check on a test, we sort of are 
masking the problem with ij exiting with status 0 even when the file does not 
exist. If you think we should have that check anyway, I can easily do it with a 
new File().exists().

For this patch (just the Repro test) I removed the SecurityManager decorator 
and added the header to the sql file. The fix remains the same.

I'll be running regressions today.

> creation of FileInputStream in org.apache.derby.impl.tools.ij.Main not 
> wrapped in privilege  block which can cause problems running under 
> SecurityManager
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-4292
>                 URL: https://issues.apache.org/jira/browse/DERBY-4292
>             Project: Derby
>          Issue Type: Bug
>          Components: Tools
>    Affects Versions: 10.1.3.1, 10.2.2.0, 10.3.2.1, 10.4.2.0, 10.5.1.1, 
> 10.6.0.0
>            Reporter: Kathey Marsden
>            Assignee: Tiago R. Espinha
>         Attachments: DERBY-4292-Fix.patch, DERBY-4292-Fix.patch, 
> DERBY-4292-Fix.patch, DERBY-4292-ReproTest.patch, DERBY-4292-ReproTest.patch, 
> DERBY-4292-ReproTest.patch, derby4292.zip, derby4292.zip, run.out.debugall
>
>
> org.apache.derby.impl.tools.ij.Main has this code where the call to 
> FileInputStream is not wrapped in a privilege block:
>                    try {
>                         in1 = new FileInputStream(file);
>                         if (in1 != null) {
>                             in1 = new BufferedInputStream(in1, 
> utilMain.BUFFEREDFILESIZE);
>                             in = langUtil.getNewInput(in1);
>                         }
>                     } catch (FileNotFoundException e) {
>                         if (Boolean.getBoolean("ij.searchClassPath")) {
>                             in = 
> langUtil.getNewInput(util.getResourceAsStream(file));
>                         }
> This can cause issues when running under SecurityManager

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to