Richard N. Hillegas created DERBY-7161:
------------------------------------------
Summary: Document the need for client-side applications to vet
user-supplied connection directives
Key: DERBY-7161
URL: https://issues.apache.org/jira/browse/DERBY-7161
Project: Derby
Issue Type: Task
Components: Network Client
Affects Versions: 10.18.0.0
Reporter: Richard N. Hillegas
Somewhere, we should document the fact that client-side applications should not
use user-supplied URLs or Properties objects to connect to remote databases.
Those URLs and Properties objects may contain instructions for tracing network
traffic. If the client-side application runs from a more privileged account
than the user, then this could let the user pollute parts of the directory
system to which the user does not normally have write-access. Client-side
applications should vet all user-supplied directives before establishing
connections.
A related MySQL problem is described by [1].
[1]
https://github.com/apache/security-site/compare/main...raboof:security-site:mysql
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
