Re: Bug #428: Another security issue with the JDBC driver. - Mailing list pgsql-bugs
From | Bruce Momjian |
---|---|
Subject | Re: Bug #428: Another security issue with the JDBC driver. |
Date | |
Msg-id | 200108241910.f7OJAu419957@candle.pha.pa.us Whole thread Raw |
In response to | Bug #428: Another security issue with the JDBC driver. (pgsql-bugs@postgresql.org) |
List | pgsql-bugs |
Your patch has been added to the PostgreSQL unapplied patches list at: http://candle.pha.pa.us/cgi-bin/pgpatches I will try to apply it within the next 48 hours. > David Daney (David.Daney@avtrex.com) reports a bug with a severity of 3 > The lower the number the more severe it is. > > Short Description > Another security issue with the JDBC driver. > > Long Description > The JDBC driver requires > > permission java.net.SocketPermission "host:port", "connect"; > > in the policy file of the application using the JDBC driver > in the postgresql.jar file. Since the Socket() call in the > driver is not protected by AccessController.doPrivileged() this > permission must also be granted to the entire application. > > The attached diff fixes it so that the connect permission can be > restricted just the the postgresql.jar codeBase if desired. > > Sample Code > *** PG_Stream.java.orig Fri Aug 24 09:27:40 2001 > --- PG_Stream.java Fri Aug 24 09:42:14 2001 > *************** > *** 5,10 **** > --- 5,11 ---- > import java.net.*; > import java.util.*; > import java.sql.*; > + import java.security.*; > import org.postgresql.*; > import org.postgresql.core.*; > import org.postgresql.util.*; > *************** > *** 27,32 **** > --- 28,52 ---- > BytePoolDim1 bytePoolDim1 = new BytePoolDim1(); > BytePoolDim2 bytePoolDim2 = new BytePoolDim2(); > > + private static class PrivilegedSocket > + implements PrivilegedExceptionAction > + { > + private String host; > + private int port; > + > + PrivilegedSocket(String host, int port) > + { > + this.host = host; > + this.port = port; > + } > + > + public Object run() throws Exception > + { > + return new Socket(host, port); > + } > + } > + > + > /** > * Constructor: Connect to the PostgreSQL back end and return > * a stream connection. > *************** > *** 37,43 **** > */ > public PG_Stream(String host, int port) throws IOException > { > ! connection = new Socket(host, port); > > // Submitted by Jason Venner <jason@idiom.com> adds a 10x speed > // improvement on FreeBSD machines (caused by a bug in their TCP Stack) > --- 57,69 ---- > */ > public PG_Stream(String host, int port) throws IOException > { > ! PrivilegedSocket ps = new PrivilegedSocket(host, port); > ! try { > ! connection = (Socket)AccessController.doPrivileged(ps); > ! } > ! catch(PrivilegedActionException pae){ > ! throw (IOException)pae.getException(); > ! } > > // Submitted by Jason Venner <jason@idiom.com> adds a 10x speed > // improvement on FreeBSD machines (caused by a bug in their TCP Stack) > > > No file was uploaded with this report > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
pgsql-bugs by date: