Re: [BUGS] Bug #428: Another security issue with the JDBC driver. - Mailing list pgsql-jdbc
| From | Barry Lind |
|---|---|
| Subject | Re: [BUGS] Bug #428: Another security issue with the JDBC driver. |
| Date | |
| Msg-id | 3B88AC3A.4020604@xythos.com Whole thread Raw |
| In response to | Re: [BUGS] Bug #428: Another security issue with the JDBC driver. (Bruce Momjian <pgman@candle.pha.pa.us>) |
| Responses |
Re: Re: [BUGS] Bug #428: Another security issue with the JDBC
driver.
|
| List | pgsql-jdbc |
Please pull this patch. It breaks JDBC1 support. The JDBC1 code no
longer compiles, due to objects being referenced in this patch that do
not exist in JDK1.1.
thanks,
--Barry
[copy] Copying 1 file to
/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql
[echo] Configured build for the JDBC1 edition driver
compile:
[javac] Compiling 38 source files to
/home/blind/temp/pgsql/src/interfaces/jdbc/build
[javac]
/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:33:
Interface org.postgresql.PrivilegedExceptionAction of nested class
org.postgresql.PG_Stream. PrivilegedSocket not found.
[javac] implements PrivilegedExceptionAction
[javac] ^
[javac]
/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:63:
Undefined variable or class name: AccessController
[javac] connection = (Socket)AccessController.doPrivileged(ps);
[javac] ^
[javac]
/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:65:
Class org.postgresql.PrivilegedActionException not found in type
declaration.
[javac] catch(PrivilegedActionException pae){
[javac] ^
[javac] 3 errors
BUILD FAILED
Bruce Momjian wrote:
> Patch applied. Thanks.
>
>
>>I am sorry to keep going back and forth on this, but:
>>
>>The original patch is correct and does the proper thing. I should have
>>tested this before sounding the alarm.
>>
>>AccessController.doPrivileged()
>>
>>Propagates SecurityExceptions without wrapping them in a PrivilegedActionException so it appears that there is not
thepossibility of a ClassCastException.
>>
>>David Daney.
>>
>>
>>Bruce Momjian wrote:
>>
>>
>>>OK, patch removed from queue.
>>>
>>>
>>>>It is now unclear to me the the
>>>>
>>>>catch(PrivilegedActionException pae)
>>>>
>>>>part of the patch is correct. If a SecurityException is thrown in
>>>>Socket() (as might happen if the policy file did not give the proper
>>>>permissions), then it might be converted into a ClassCastException,
>>>>which is probably the wrong thing to do.
>>>>
>>>>Perhaps I should look into this a bit further.
>>>>
>>>>David Daney.
>>>>
>>>>
>>>>Bruce Momjian wrote:
>>>>
>>>>
>>>>>Your patch has been added to the PostgreSQL unapplied patches list at:
>>>>>
>>>>> http://candle.pha.pa.us/cgi-bin/pgpatches
>>>>>
>>>>>I will try to apply it within the next 48 hours.
>>>>>
>>>>>
>>>>>>David Daney (David.Daney@avtrex.com) reports a bug with a severity of 3
>>>>>>The lower the number the more severe it is.
>>>>>>
>>>>>>Short Description
>>>>>>Another security issue with the JDBC driver.
>>>>>>
>>>>>>Long Description
>>>>>>The JDBC driver requires
>>>>>>
>>>>>>permission java.net.SocketPermission "host:port", "connect";
>>>>>>
>>>>>>in the policy file of the application using the JDBC driver
>>>>>>in the postgresql.jar file. Since the Socket() call in the
>>>>>>driver is not protected by AccessController.doPrivileged() this
>>>>>>permission must also be granted to the entire application.
>>>>>>
>>>>>>The attached diff fixes it so that the connect permission can be
>>>>>>restricted just the the postgresql.jar codeBase if desired.
>>>>>>
>>>>>>Sample Code
>>>>>>*** PG_Stream.java.orig Fri Aug 24 09:27:40 2001
>>>>>>--- PG_Stream.java Fri Aug 24 09:42:14 2001
>>>>>>***************
>>>>>>*** 5,10 ****
>>>>>>--- 5,11 ----
>>>>>>import java.net.*;
>>>>>>import java.util.*;
>>>>>>import java.sql.*;
>>>>>>+ import java.security.*;
>>>>>>import org.postgresql.*;
>>>>>>import org.postgresql.core.*;
>>>>>>import org.postgresql.util.*;
>>>>>>***************
>>>>>>*** 27,32 ****
>>>>>>--- 28,52 ----
>>>>>> BytePoolDim1 bytePoolDim1 = new BytePoolDim1();
>>>>>> BytePoolDim2 bytePoolDim2 = new BytePoolDim2();
>>>>>>
>>>>>>+ private static class PrivilegedSocket
>>>>>>+ implements PrivilegedExceptionAction
>>>>>>+ {
>>>>>>+ private String host;
>>>>>>+ private int port;
>>>>>>+
>>>>>>+ PrivilegedSocket(String host, int port)
>>>>>>+ {
>>>>>>+ this.host = host;
>>>>>>+ this.port = port;
>>>>>>+ }
>>>>>>+
>>>>>>+ public Object run() throws Exception
>>>>>>+ {
>>>>>>+ return new Socket(host, port);
>>>>>>+ }
>>>>>>+ }
>>>>>>+
>>>>>>+
>>>>>> /**
>>>>>> * Constructor: Connect to the PostgreSQL back end and return
>>>>>> * a stream connection.
>>>>>>***************
>>>>>>*** 37,43 ****
>>>>>> */
>>>>>> public PG_Stream(String host, int port) throws IOException
>>>>>> {
>>>>>>! connection = new Socket(host, port);
>>>>>>
>>>>>> // Submitted by Jason Venner <jason@idiom.com> adds a 10x speed
>>>>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
>>>>>>--- 57,69 ----
>>>>>> */
>>>>>> public PG_Stream(String host, int port) throws IOException
>>>>>> {
>>>>>>! PrivilegedSocket ps = new PrivilegedSocket(host, port);
>>>>>>! try {
>>>>>>! connection = (Socket)AccessController.doPrivileged(ps);
>>>>>>! }
>>>>>>! catch(PrivilegedActionException pae){
>>>>>>! throw (IOException)pae.getException();
>>>>>>! }
>>>>>>
>>>>>> // Submitted by Jason Venner <jason@idiom.com> adds a 10x speed
>>>>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
>>>>>>
>>>>>>
>>>>>>No file was uploaded with this report
>>>>>>
>>>>>>
>>>>>>---------------------------(end of broadcast)---------------------------
>>>>>>TIP 5: Have you checked our extensive FAQ?
>>>>>>
>>>>>>http://www.postgresql.org/users-lounge/docs/faq.html
>>>>>>
>>>>>>
>>
>
pgsql-jdbc by date: