Re: Bug #428: Another security issue with the JDBC driver. - Mailing list pgsql-bugs
From | Bruce Momjian |
---|---|
Subject | Re: Bug #428: Another security issue with the JDBC driver. |
Date | |
Msg-id | 200108242121.f7OLLi003579@candle.pha.pa.us Whole thread Raw |
In response to | Bug #428: Another security issue with the JDBC driver. (pgsql-bugs@postgresql.org) |
List | pgsql-bugs |
OK, patch removed from queue. > It is now unclear to me the the > > catch(PrivilegedActionException pae) > > part of the patch is correct. If a SecurityException is thrown in > Socket() (as might happen if the policy file did not give the proper > permissions), then it might be converted into a ClassCastException, > which is probably the wrong thing to do. > > Perhaps I should look into this a bit further. > > David Daney. > > > Bruce Momjian wrote: > > >Your patch has been added to the PostgreSQL unapplied patches list at: > > > > http://candle.pha.pa.us/cgi-bin/pgpatches > > > >I will try to apply it within the next 48 hours. > > > >>David Daney (David.Daney@avtrex.com) reports a bug with a severity of 3 > >>The lower the number the more severe it is. > >> > >>Short Description > >>Another security issue with the JDBC driver. > >> > >>Long Description > >>The JDBC driver requires > >> > >> permission java.net.SocketPermission "host:port", "connect"; > >> > >>in the policy file of the application using the JDBC driver > >>in the postgresql.jar file. Since the Socket() call in the > >>driver is not protected by AccessController.doPrivileged() this > >>permission must also be granted to the entire application. > >> > >>The attached diff fixes it so that the connect permission can be > >>restricted just the the postgresql.jar codeBase if desired. > >> > >>Sample Code > >>*** PG_Stream.java.orig Fri Aug 24 09:27:40 2001 > >>--- PG_Stream.java Fri Aug 24 09:42:14 2001 > >>*************** > >>*** 5,10 **** > >>--- 5,11 ---- > >> import java.net.*; > >> import java.util.*; > >> import java.sql.*; > >>+ import java.security.*; > >> import org.postgresql.*; > >> import org.postgresql.core.*; > >> import org.postgresql.util.*; > >>*************** > >>*** 27,32 **** > >>--- 28,52 ---- > >> BytePoolDim1 bytePoolDim1 = new BytePoolDim1(); > >> BytePoolDim2 bytePoolDim2 = new BytePoolDim2(); > >> > >>+ private static class PrivilegedSocket > >>+ implements PrivilegedExceptionAction > >>+ { > >>+ private String host; > >>+ private int port; > >>+ > >>+ PrivilegedSocket(String host, int port) > >>+ { > >>+ this.host = host; > >>+ this.port = port; > >>+ } > >>+ > >>+ public Object run() throws Exception > >>+ { > >>+ return new Socket(host, port); > >>+ } > >>+ } > >>+ > >>+ > >> /** > >> * Constructor: Connect to the PostgreSQL back end and return > >> * a stream connection. > >>*************** > >>*** 37,43 **** > >> */ > >> public PG_Stream(String host, int port) throws IOException > >> { > >>! connection = new Socket(host, port); > >> > >> // Submitted by Jason Venner <jason@idiom.com> adds a 10x speed > >> // improvement on FreeBSD machines (caused by a bug in their TCP Stack) > >>--- 57,69 ---- > >> */ > >> public PG_Stream(String host, int port) throws IOException > >> { > >>! PrivilegedSocket ps = new PrivilegedSocket(host, port); > >>! try { > >>! connection = (Socket)AccessController.doPrivileged(ps); > >>! } > >>! catch(PrivilegedActionException pae){ > >>! throw (IOException)pae.getException(); > >>! } > >> > >> // Submitted by Jason Venner <jason@idiom.com> adds a 10x speed > >> // improvement on FreeBSD machines (caused by a bug in their TCP Stack) > >> > >> > >>No file was uploaded with this report > >> > >> > >>---------------------------(end of broadcast)--------------------------- > >>TIP 5: Have you checked our extensive FAQ? > >> > >>http://www.postgresql.org/users-lounge/docs/faq.html > >> > > > > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
pgsql-bugs by date: