Security.disableDefaultExclusionList Doesn't Work In ORDS 19.1 (Doc ID 2613220.1)

Last updated on JULY 29, 2020

Applies to:

Oracle REST Data Services - Version 19.1 and later
Information in this document applies to any platform.

Symptoms

In the ORDS 19.1 in case if you want to deal with PLSQL requests. like sys.*
dbms_*
utl_*
owa_*
owa.*
htp.*
htf.*

The database procedures which were blocked in the old version OHS can be processed now in the URL, i.e. utl_*.
This should be blocked by security.disableDefaultExclusionList by default. But even if you tried add the parameter in defaults.xml and set value to "false",

still end users can run utl_* in the URL if they are in not in SYS Schema.

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

Security.disableDefaultExclusionList Doesn't Work In ORDS 19.1 (Doc ID 2613220.1)

Applies to:

Symptoms

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!