Re: Re: [BUGS] Bug #428: Another security issue with the JDBC driver. - Mailing list pgsql-jdbc
From | Bruce Momjian |
---|---|
Subject | Re: Re: [BUGS] Bug #428: Another security issue with the JDBC driver. |
Date | |
Msg-id | 200108261709.f7QH9TZ13670@candle.pha.pa.us Whole thread Raw |
In response to | Re: [BUGS] Bug #428: Another security issue with the JDBC driver. (Barry Lind <barry@xythos.com>) |
List | pgsql-jdbc |
Patch reversed. Please advise how to continue. > Please pull this patch. It breaks JDBC1 support. The JDBC1 code no > longer compiles, due to objects being referenced in this patch that do > not exist in JDK1.1. > > thanks, > --Barry > > > [copy] Copying 1 file to > /home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql > [echo] Configured build for the JDBC1 edition driver > > compile: > [javac] Compiling 38 source files to > /home/blind/temp/pgsql/src/interfaces/jdbc/build > [javac] > /home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:33: > Interface org.postgresql.PrivilegedExceptionAction of nested class > org.postgresql.PG_Stream. PrivilegedSocket not found. > [javac] implements PrivilegedExceptionAction > [javac] ^ > [javac] > /home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:63: > Undefined variable or class name: AccessController > [javac] connection = (Socket)AccessController.doPrivileged(ps); > [javac] ^ > [javac] > /home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:65: > Class org.postgresql.PrivilegedActionException not found in type > declaration. > [javac] catch(PrivilegedActionException pae){ > [javac] ^ > [javac] 3 errors > > BUILD FAILED > > > > Bruce Momjian wrote: > > Patch applied. Thanks. > > > > > >>I am sorry to keep going back and forth on this, but: > >> > >>The original patch is correct and does the proper thing. I should have > >>tested this before sounding the alarm. > >> > >>AccessController.doPrivileged() > >> > >>Propagates SecurityExceptions without wrapping them in a PrivilegedActionException so it appears that there is not thepossibility of a ClassCastException. > >> > >>David Daney. > >> > >> > >>Bruce Momjian wrote: > >> > >> > >>>OK, patch removed from queue. > >>> > >>> > >>>>It is now unclear to me the the > >>>> > >>>>catch(PrivilegedActionException pae) > >>>> > >>>>part of the patch is correct. If a SecurityException is thrown in > >>>>Socket() (as might happen if the policy file did not give the proper > >>>>permissions), then it might be converted into a ClassCastException, > >>>>which is probably the wrong thing to do. > >>>> > >>>>Perhaps I should look into this a bit further. > >>>> > >>>>David Daney. > >>>> > >>>> > >>>>Bruce Momjian wrote: > >>>> > >>>> > >>>>>Your patch has been added to the PostgreSQL unapplied patches list at: > >>>>> > >>>>> http://candle.pha.pa.us/cgi-bin/pgpatches > >>>>> > >>>>>I will try to apply it within the next 48 hours. > >>>>> > >>>>> > >>>>>>David Daney (David.Daney@avtrex.com) reports a bug with a severity of 3 > >>>>>>The lower the number the more severe it is. > >>>>>> > >>>>>>Short Description > >>>>>>Another security issue with the JDBC driver. > >>>>>> > >>>>>>Long Description > >>>>>>The JDBC driver requires > >>>>>> > >>>>>>permission java.net.SocketPermission "host:port", "connect"; > >>>>>> > >>>>>>in the policy file of the application using the JDBC driver > >>>>>>in the postgresql.jar file. Since the Socket() call in the > >>>>>>driver is not protected by AccessController.doPrivileged() this > >>>>>>permission must also be granted to the entire application. > >>>>>> > >>>>>>The attached diff fixes it so that the connect permission can be > >>>>>>restricted just the the postgresql.jar codeBase if desired. > >>>>>> > >>>>>>Sample Code > >>>>>>*** PG_Stream.java.orig Fri Aug 24 09:27:40 2001 > >>>>>>--- PG_Stream.java Fri Aug 24 09:42:14 2001 > >>>>>>*************** > >>>>>>*** 5,10 **** > >>>>>>--- 5,11 ---- > >>>>>>import java.net.*; > >>>>>>import java.util.*; > >>>>>>import java.sql.*; > >>>>>>+ import java.security.*; > >>>>>>import org.postgresql.*; > >>>>>>import org.postgresql.core.*; > >>>>>>import org.postgresql.util.*; > >>>>>>*************** > >>>>>>*** 27,32 **** > >>>>>>--- 28,52 ---- > >>>>>> BytePoolDim1 bytePoolDim1 = new BytePoolDim1(); > >>>>>> BytePoolDim2 bytePoolDim2 = new BytePoolDim2(); > >>>>>> > >>>>>>+ private static class PrivilegedSocket > >>>>>>+ implements PrivilegedExceptionAction > >>>>>>+ { > >>>>>>+ private String host; > >>>>>>+ private int port; > >>>>>>+ > >>>>>>+ PrivilegedSocket(String host, int port) > >>>>>>+ { > >>>>>>+ this.host = host; > >>>>>>+ this.port = port; > >>>>>>+ } > >>>>>>+ > >>>>>>+ public Object run() throws Exception > >>>>>>+ { > >>>>>>+ return new Socket(host, port); > >>>>>>+ } > >>>>>>+ } > >>>>>>+ > >>>>>>+ > >>>>>> /** > >>>>>> * Constructor: Connect to the PostgreSQL back end and return > >>>>>> * a stream connection. > >>>>>>*************** > >>>>>>*** 37,43 **** > >>>>>> */ > >>>>>> public PG_Stream(String host, int port) throws IOException > >>>>>> { > >>>>>>! connection = new Socket(host, port); > >>>>>> > >>>>>> // Submitted by Jason Venner <jason@idiom.com> adds a 10x speed > >>>>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack) > >>>>>>--- 57,69 ---- > >>>>>> */ > >>>>>> public PG_Stream(String host, int port) throws IOException > >>>>>> { > >>>>>>! PrivilegedSocket ps = new PrivilegedSocket(host, port); > >>>>>>! try { > >>>>>>! connection = (Socket)AccessController.doPrivileged(ps); > >>>>>>! } > >>>>>>! catch(PrivilegedActionException pae){ > >>>>>>! throw (IOException)pae.getException(); > >>>>>>! } > >>>>>> > >>>>>> // Submitted by Jason Venner <jason@idiom.com> adds a 10x speed > >>>>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack) > >>>>>> > >>>>>> > >>>>>>No file was uploaded with this report > >>>>>> > >>>>>> > >>>>>>---------------------------(end of broadcast)--------------------------- > >>>>>>TIP 5: Have you checked our extensive FAQ? > >>>>>> > >>>>>>http://www.postgresql.org/users-lounge/docs/faq.html > >>>>>> > >>>>>> > >> > > > > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
pgsql-jdbc by date: