[Opensource] Possible security problem - DBObject.find() ret
urning bogus information
Mike Traum
mtraum at cirnetwork.org
Fri Dec 6 10:56:07 PST 2002
I just wanted to make sure that this issue didn't go unnoticed. I had an
issue which may have been due to this - a user was accessing data that he
was not supposed to have access to. I suspect it was coming out of the cache
incorrectly due to the problem below.
mike
-----Original Message-----
From: Mike Traum [mailto:mtraum at cirnetwork.org]
Sent: Tuesday, December 03, 2002 4:44 PM
To: 'opensource at jcorporate.com'
Subject: RE: [Opensource] DBObject.find() returning bogus information.
I'm just now getting this too - with 5.0.1. It's happening to me when I do a
find() on a table with no keys.
It appears to be a caching issue. At line 5455 of DBObject
(retrieveFromCache()), getKey() returns "" for my table, but a cachedObject
is still returned. That doesn't seem right, although I haven't delved deeply
into the caching mechanism...
mike
-----Original Message-----
From: opensource-admin at jcorporate.com
[mailto:opensource-admin at jcorporate.com]On Behalf Of Michael Rimov
Sent: Monday, November 11, 2002 10:17 PM
To: opensource at jcorporate.com
Subject: Re: [Opensource] DBObject.find() returning bogus information.
At 08:43 PM 11/11/2002 -0300, you wrote:
>I have been facing some strange errors using expresso 5.0 on linux with
>j2sdk 1.4.1, both with MySQL and PostgreSQL
>
>I have a DBObject with a unique field named "code", I do a
>setField("code",code); then a find(), wich returns true, but refers to the
>wrong instance of the DBOject in question (wich has a diferent "code").
>
>Has anybody seen this error?
Marcelo,
Give 5.0.1 a try. I fixed a couple of bugs related to retrieve(), etc that
may have a side impact on find.
If that doesn't do it, the other way you can deal with it is turn on
debugging for the sql statements getting executed against the
database. You'll find a comment about it in the expressoLogging.xml
file. That way you can actually see if there's something amiss in the SQL
getting executed to the database. Then let us know what seems to be the
result of your findings and we'll see if we can track it down.
HTH!
-Mike
_______________________________________________
Opensource mailing list
Opensource at jcorporate.com
http://mail.jcorporate.com/mailman/listinfo/opensource
Archives: http://mail.jcorporate.com/pipermail/opensource/
_______________________________________________
Opensource mailing list
Opensource at jcorporate.com
http://mail.jcorporate.com/mailman/listinfo/opensource
Archives: http://mail.jcorporate.com/pipermail/opensource/
More information about the Opensource
mailing list