[
https://issues.apache.org/jira/browse/DERBY-2925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rick Hillegas updated DERBY-2925:
---------------------------------
Attachment: derby-2925-07-aa-fileUrl.diff
Attaching derby-2925-07-aa-fileUrl.diff. This patch prevents users from
subverting the file existence check by phrasing the filename as an url. The
tests passed cleanly for me.
The export procedure uses the user-supplied export file name twice:
1) To check whether the file exists
2) To open the file so that export can dump a table into the file
For the second use, Derby checks to see whether the user-supplied name is
actually an url rather than a plain file name. If the user-supplied name is an
url, Derby transforms it into a plain file name. This transformation is not
performed when checking for the file's existence. As a result, it is still
possible to use export to overwrite an existing file by prefixing the file name
with the string "file:". This will be an illegal file name for the purposes of
(1) and therefore not abort the export before step (2).
This patch simply performs the same transformation in steps (1) and (2).
Touches the following files:
------------
M java/engine/org/apache/derby/iapi/services/io/FileUtil.java
M java/engine/org/apache/derby/impl/load/Export.java
M java/engine/org/apache/derby/impl/load/ExportWriteData.java
Factor out the file name transformation into FileUtil so that it can be used by
both steps (1) and (2).
------------
M java/engine/org/apache/derby/impl/io/CPFile.java
Removed an unneeded import.
------------
M
java/testing/org/apache/derbyTesting/functionTests/tests/tools/ImportExportBinaryDataTest.java
Added a test case for this scenario.
> Prevent export from overwriting existing files
> ----------------------------------------------
>
> Key: DERBY-2925
> URL: https://issues.apache.org/jira/browse/DERBY-2925
> Project: Derby
> Issue Type: Sub-task
> Components: Tools
> Affects Versions: 10.1.2.1, 10.2.2.0, 10.3.1.4, 10.4.1.3
> Reporter: Kathey Marsden
> Assignee: Ramin Moazeni
> Fix For: 10.3.1.4, 10.4.1.3
>
> Attachments: derby-2925-07-aa-fileUrl.diff, DERBY-2925v0.diff,
> DERBY-2925v0.stat, DERBY-2925v1.diff, DERBY-2925v1.stat, DERBY-2925v2.diff,
> DERBY-2925v2.stat, DERBY-2925v3.diff, DERBY-2925v3.stat, DERBY-2925v4.diff,
> DERBY-2925v4.stat, DERBY-2925v5.diff, DERBY-2925v5.stat, DERBY-2925v6.diff,
> DERBY-2925v6.stat, releaseNote.html, releaseNotev0.html
>
>
> Export should not overwrite existing files, but rather insist that the user
> remove them before writing to the file. This will help prevent accidental or
> intentional corruption of the database with export. This may introduce a
> compatibility issue with export but because export is usually an attended
> utility and not typically invoked as part of an application, I think the risk
> is worth the additional security this will provide.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
