[jira] [Updated] (DERBY-7161) Document the need for client-side applications to vet user-supplied connection directives
[ https://issues.apache.org/jira/browse/DERBY-7161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Richard N. Hillegas updated DERBY-7161: --- Component/s: Documentation > Document the need for client-side applications to vet user-supplied > connection directives > - > > Key: DERBY-7161 > URL: https://issues.apache.org/jira/browse/DERBY-7161 > Project: Derby > Issue Type: Task > Components: Documentation, Network Client >Affects Versions: 10.18.0.0 >Reporter: Richard N. Hillegas >Priority: Major > > Somewhere, we should document the fact that client-side applications should > not use user-supplied URLs or Properties objects to connect to remote > databases. Those URLs and Properties objects may contain instructions for > tracing network traffic. If the client-side application runs from a more > privileged account than the user, then this could let the user pollute parts > of the directory system to which the user does not normally have > write-access. Client-side applications should vet all user-supplied > directives before establishing connections. > A related MySQL problem is described by [1]. > [1] > https://github.com/apache/security-site/compare/main...raboof:security-site:mysql -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (DERBY-7161) Document the need for client-side applications to vet user-supplied connection directives
Richard N. Hillegas created DERBY-7161: -- Summary: Document the need for client-side applications to vet user-supplied connection directives Key: DERBY-7161 URL: https://issues.apache.org/jira/browse/DERBY-7161 Project: Derby Issue Type: Task Components: Network Client Affects Versions: 10.18.0.0 Reporter: Richard N. Hillegas Somewhere, we should document the fact that client-side applications should not use user-supplied URLs or Properties objects to connect to remote databases. Those URLs and Properties objects may contain instructions for tracing network traffic. If the client-side application runs from a more privileged account than the user, then this could let the user pollute parts of the directory system to which the user does not normally have write-access. Client-side applications should vet all user-supplied directives before establishing connections. A related MySQL problem is described by [1]. [1] https://github.com/apache/security-site/compare/main...raboof:security-site:mysql -- This message was sent by Atlassian Jira (v8.20.10#820010)
