Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle 9i DB Security Hole
In article <3CC00A28.A05CFBBD_at_ca.ibm.com>, you said (and I quote):
> If Oracle's compiler logic is anywhere close to how DB2's works I can very
> well understand how such a bug occurs and reaches production.
how about worse? ;-)
> It is not
> obvious that adding a new SQL operator in a parse tree (or Query Graph Model
> in the DB2 case) can impact authorization checking for base objects.
IIRC how these things were done (back in the days when I had access to source code of db s/w...), the parse is independent of the access check. One cannot access-check something that hasn't yet been recognized as "accessible". It used to be done at p-code generation. Ie, the step where the parsed command is translated into a series of p-code commands that then are checked for validity/security/whatever. Then the whole lot is sent to the optimizer. Then and only then does it run. Of course, this was more than a decade ago. So take it with a grain of salt: wouldn't surprise me if someone just came up with an "optimization" that allows this sort of rubbish to creep.
>
> I'd be the last to throw a stone on that one. Sooner or later it may be IBM's
> or (count my blessings) even my turn.
>
> Nonetheless Oracle would be wise to retire their "Unbreakable" marketing
> campaign.
You are absolutely right. Never liked it myself. It's the typical arrogant marketing statement that gets a company in hot water and destroys reputations.
> Mortality is just too obvious now and the competition will likely and happily
> point that out in case they forget about it ever again :-)
You bet!
-- Cheers Nuno Souto nsouto_at_optushome.com.au.nospamReceived on Fri Apr 19 2002 - 09:23:04 CDT