[JBoss JIRA] Commented: (TEIID-950) Add ability to control access to environment variables

Friday, 8 October 2010

    [
https://jira.jboss.org/browse/TEIID-950?page=com.atlassian.jira.plugin.sy...
] 

Steven Hawkins commented on TEIID-950:
--------------------------------------

It's been a while since this was looked at...  I would now say there is little general
utility in offering an env function.  The only value that we specifically provide is the
session id.  So I think we could address this by adding a session_id system function and
by adding a config property to enable the env function.  It may even be a good idea to use
a default of false.  If there aren't any objections this could be done in 7.1.1.

...
 Add ability to control access to environment variables
 ------------------------------------------------------

                 Key: TEIID-950
                 URL: https://jira.jboss.org/browse/TEIID-950
             Project: Teiid
          Issue Type: Quality Risk
          Components: Query Engine
         Environment: Found by client on MMx 502, tested and found issue present through
551.
            Reporter: Marc Shirley
             Fix For: 7.2

 SELECT ENV('os.name') || ' ' || ENV('os.version') || ' '
|| ENV('java.home')  returns the details of the server, which from the client
perspective is a security risk.  This information is even visible by a user with no access
to any tables.  Client is looking to have this disabled, or have the ability to disable
it. 
-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009