Re: Bug #428: Another security issue with the JDBC driver. - Mailing list pgsql-bugs
| From | Bruce Momjian |
|---|---|
| Subject | Re: Bug #428: Another security issue with the JDBC driver. |
| Date | |
| Msg-id | 200108241910.f7OJAu419957@candle.pha.pa.us Whole thread Raw |
| In response to | Bug #428: Another security issue with the JDBC driver. (pgsql-bugs@postgresql.org) |
| List | pgsql-bugs |
Your patch has been added to the PostgreSQL unapplied patches list at:
http://candle.pha.pa.us/cgi-bin/pgpatches
I will try to apply it within the next 48 hours.
> David Daney (David.Daney@avtrex.com) reports a bug with a severity of 3
> The lower the number the more severe it is.
>
> Short Description
> Another security issue with the JDBC driver.
>
> Long Description
> The JDBC driver requires
>
> permission java.net.SocketPermission "host:port", "connect";
>
> in the policy file of the application using the JDBC driver
> in the postgresql.jar file. Since the Socket() call in the
> driver is not protected by AccessController.doPrivileged() this
> permission must also be granted to the entire application.
>
> The attached diff fixes it so that the connect permission can be
> restricted just the the postgresql.jar codeBase if desired.
>
> Sample Code
> *** PG_Stream.java.orig Fri Aug 24 09:27:40 2001
> --- PG_Stream.java Fri Aug 24 09:42:14 2001
> ***************
> *** 5,10 ****
> --- 5,11 ----
> import java.net.*;
> import java.util.*;
> import java.sql.*;
> + import java.security.*;
> import org.postgresql.*;
> import org.postgresql.core.*;
> import org.postgresql.util.*;
> ***************
> *** 27,32 ****
> --- 28,52 ----
> BytePoolDim1 bytePoolDim1 = new BytePoolDim1();
> BytePoolDim2 bytePoolDim2 = new BytePoolDim2();
>
> + private static class PrivilegedSocket
> + implements PrivilegedExceptionAction
> + {
> + private String host;
> + private int port;
> +
> + PrivilegedSocket(String host, int port)
> + {
> + this.host = host;
> + this.port = port;
> + }
> +
> + public Object run() throws Exception
> + {
> + return new Socket(host, port);
> + }
> + }
> +
> +
> /**
> * Constructor: Connect to the PostgreSQL back end and return
> * a stream connection.
> ***************
> *** 37,43 ****
> */
> public PG_Stream(String host, int port) throws IOException
> {
> ! connection = new Socket(host, port);
>
> // Submitted by Jason Venner <jason@idiom.com> adds a 10x speed
> // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
> --- 57,69 ----
> */
> public PG_Stream(String host, int port) throws IOException
> {
> ! PrivilegedSocket ps = new PrivilegedSocket(host, port);
> ! try {
> ! connection = (Socket)AccessController.doPrivileged(ps);
> ! }
> ! catch(PrivilegedActionException pae){
> ! throw (IOException)pae.getException();
> ! }
>
> // Submitted by Jason Venner <jason@idiom.com> adds a 10x speed
> // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
>
>
> No file was uploaded with this report
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
pgsql-bugs by date: