[DERBY-7161] Document the need for client-side applications to vet user-supplied connection directives - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.18.0.0
Fix Version/s: None
Component/s: Documentation, Network Client
Labels:
None

Description

Somewhere, we should document the fact that client-side applications should not use user-supplied URLs or Properties objects to connect to remote databases. Those URLs and Properties objects may contain instructions for tracing network traffic. If the client-side application runs from a more privileged account than the user, then this could let the user pollute parts of the directory system to which the user does not normally have write-access. Client-side applications should vet all user-supplied directives before establishing connections.

A related MySQL problem is described by [1].

[1] https://github.com/apache/security-site/compare/main...raboof:security-site:mysql

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

derby-7161-01-aa-traceFileAttributes.tar
23/Apr/24 23:11
60 kB
Richard N. Hillegas
derby-7161-01-aa-traceFileAttributes.diff
23/Apr/24 23:10
4 kB
Richard N. Hillegas

Activity

People

Assignee:: Unassigned

Reporter:: Richard N. Hillegas

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 21/Mar/24 17:36

Updated:: 26/Apr/24 00:58