-
-
Notifications
You must be signed in to change notification settings - Fork 212
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixed CORE-5657: Various UDF-related security vulnerabilities
- Loading branch information
1 parent
820a64e
commit b9c1765
Showing
26 changed files
with
454 additions
and
3,326 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
******************************************************************************** | ||
LIST OF KNOWN INCOMPATIBILITIES | ||
between versions 3.0 and 4.0 | ||
******************************************************************************** | ||
|
||
This document describes all the changes that make v4.0 incompatible in any way | ||
as compared with the previous releases and hence could affect your databases and | ||
applications. | ||
|
||
Please read the below descriptions carefully before upgrading your software to | ||
the new Firebird version. | ||
|
||
Deprecating UDF | ||
-------------------------- | ||
|
||
* Initial design of UDF always used to be security problem. The most dangerous | ||
security holes when UDFs and external tables are used simultaneousky were | ||
fixed in FB 1.5. But even after it incorrectly declared (using SQL statement | ||
DECLARE EXTERNAL FUNCTION) UDF can easily cause various security issues like | ||
server crash or execution of arbitrary code. Therefore UDFs are deprecated | ||
in v.4. That means that UDFs can't be used with default configuration | ||
(parameter "UdfAccess" set to "None") and all sample UDF libraries (ib_udf, | ||
fbudf) are not distributed any more. Most of functions in that libraries | ||
were replaced with builtin analogs in previous versions and therefore | ||
already deprecated. A few remaining functions got safe replacement in UDR | ||
library "udf_compat", namely div, frac, dow, sdow, getExactTimestampUTC and | ||
isLeapYear. Users who still wish to use UDFs should set "UdfAccess" to | ||
"Restrict <path-list>". If you never used to modify this parameter before | ||
path-list is just UDF and resulting line in firebird.conf should be: | ||
UdfAccess = Restrict UDF | ||
Recommended long-term solution is replacing of UDF with UDR. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.