Re: Re: [BUGS] Bug #428: Another security issue with the JDBC driver. - Mailing list pgsql-jdbc
| From | Bruce Momjian |
|---|---|
| Subject | Re: Re: [BUGS] Bug #428: Another security issue with the JDBC driver. |
| Date | |
| Msg-id | 200108261709.f7QH9TZ13670@candle.pha.pa.us Whole thread Raw |
| In response to | Re: [BUGS] Bug #428: Another security issue with the JDBC driver. (Barry Lind <barry@xythos.com>) |
| List | pgsql-jdbc |
Patch reversed. Please advise how to continue.
> Please pull this patch. It breaks JDBC1 support. The JDBC1 code no
> longer compiles, due to objects being referenced in this patch that do
> not exist in JDK1.1.
>
> thanks,
> --Barry
>
>
> [copy] Copying 1 file to
> /home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql
> [echo] Configured build for the JDBC1 edition driver
>
> compile:
> [javac] Compiling 38 source files to
> /home/blind/temp/pgsql/src/interfaces/jdbc/build
> [javac]
> /home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:33:
> Interface org.postgresql.PrivilegedExceptionAction of nested class
> org.postgresql.PG_Stream. PrivilegedSocket not found.
> [javac] implements PrivilegedExceptionAction
> [javac] ^
> [javac]
> /home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:63:
> Undefined variable or class name: AccessController
> [javac] connection = (Socket)AccessController.doPrivileged(ps);
> [javac] ^
> [javac]
> /home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:65:
> Class org.postgresql.PrivilegedActionException not found in type
> declaration.
> [javac] catch(PrivilegedActionException pae){
> [javac] ^
> [javac] 3 errors
>
> BUILD FAILED
>
>
>
> Bruce Momjian wrote:
> > Patch applied. Thanks.
> >
> >
> >>I am sorry to keep going back and forth on this, but:
> >>
> >>The original patch is correct and does the proper thing. I should have
> >>tested this before sounding the alarm.
> >>
> >>AccessController.doPrivileged()
> >>
> >>Propagates SecurityExceptions without wrapping them in a PrivilegedActionException so it appears that there is not
thepossibility of a ClassCastException.
> >>
> >>David Daney.
> >>
> >>
> >>Bruce Momjian wrote:
> >>
> >>
> >>>OK, patch removed from queue.
> >>>
> >>>
> >>>>It is now unclear to me the the
> >>>>
> >>>>catch(PrivilegedActionException pae)
> >>>>
> >>>>part of the patch is correct. If a SecurityException is thrown in
> >>>>Socket() (as might happen if the policy file did not give the proper
> >>>>permissions), then it might be converted into a ClassCastException,
> >>>>which is probably the wrong thing to do.
> >>>>
> >>>>Perhaps I should look into this a bit further.
> >>>>
> >>>>David Daney.
> >>>>
> >>>>
> >>>>Bruce Momjian wrote:
> >>>>
> >>>>
> >>>>>Your patch has been added to the PostgreSQL unapplied patches list at:
> >>>>>
> >>>>> http://candle.pha.pa.us/cgi-bin/pgpatches
> >>>>>
> >>>>>I will try to apply it within the next 48 hours.
> >>>>>
> >>>>>
> >>>>>>David Daney (David.Daney@avtrex.com) reports a bug with a severity of 3
> >>>>>>The lower the number the more severe it is.
> >>>>>>
> >>>>>>Short Description
> >>>>>>Another security issue with the JDBC driver.
> >>>>>>
> >>>>>>Long Description
> >>>>>>The JDBC driver requires
> >>>>>>
> >>>>>>permission java.net.SocketPermission "host:port", "connect";
> >>>>>>
> >>>>>>in the policy file of the application using the JDBC driver
> >>>>>>in the postgresql.jar file. Since the Socket() call in the
> >>>>>>driver is not protected by AccessController.doPrivileged() this
> >>>>>>permission must also be granted to the entire application.
> >>>>>>
> >>>>>>The attached diff fixes it so that the connect permission can be
> >>>>>>restricted just the the postgresql.jar codeBase if desired.
> >>>>>>
> >>>>>>Sample Code
> >>>>>>*** PG_Stream.java.orig Fri Aug 24 09:27:40 2001
> >>>>>>--- PG_Stream.java Fri Aug 24 09:42:14 2001
> >>>>>>***************
> >>>>>>*** 5,10 ****
> >>>>>>--- 5,11 ----
> >>>>>>import java.net.*;
> >>>>>>import java.util.*;
> >>>>>>import java.sql.*;
> >>>>>>+ import java.security.*;
> >>>>>>import org.postgresql.*;
> >>>>>>import org.postgresql.core.*;
> >>>>>>import org.postgresql.util.*;
> >>>>>>***************
> >>>>>>*** 27,32 ****
> >>>>>>--- 28,52 ----
> >>>>>> BytePoolDim1 bytePoolDim1 = new BytePoolDim1();
> >>>>>> BytePoolDim2 bytePoolDim2 = new BytePoolDim2();
> >>>>>>
> >>>>>>+ private static class PrivilegedSocket
> >>>>>>+ implements PrivilegedExceptionAction
> >>>>>>+ {
> >>>>>>+ private String host;
> >>>>>>+ private int port;
> >>>>>>+
> >>>>>>+ PrivilegedSocket(String host, int port)
> >>>>>>+ {
> >>>>>>+ this.host = host;
> >>>>>>+ this.port = port;
> >>>>>>+ }
> >>>>>>+
> >>>>>>+ public Object run() throws Exception
> >>>>>>+ {
> >>>>>>+ return new Socket(host, port);
> >>>>>>+ }
> >>>>>>+ }
> >>>>>>+
> >>>>>>+
> >>>>>> /**
> >>>>>> * Constructor: Connect to the PostgreSQL back end and return
> >>>>>> * a stream connection.
> >>>>>>***************
> >>>>>>*** 37,43 ****
> >>>>>> */
> >>>>>> public PG_Stream(String host, int port) throws IOException
> >>>>>> {
> >>>>>>! connection = new Socket(host, port);
> >>>>>>
> >>>>>> // Submitted by Jason Venner <jason@idiom.com> adds a 10x speed
> >>>>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
> >>>>>>--- 57,69 ----
> >>>>>> */
> >>>>>> public PG_Stream(String host, int port) throws IOException
> >>>>>> {
> >>>>>>! PrivilegedSocket ps = new PrivilegedSocket(host, port);
> >>>>>>! try {
> >>>>>>! connection = (Socket)AccessController.doPrivileged(ps);
> >>>>>>! }
> >>>>>>! catch(PrivilegedActionException pae){
> >>>>>>! throw (IOException)pae.getException();
> >>>>>>! }
> >>>>>>
> >>>>>> // Submitted by Jason Venner <jason@idiom.com> adds a 10x speed
> >>>>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
> >>>>>>
> >>>>>>
> >>>>>>No file was uploaded with this report
> >>>>>>
> >>>>>>
> >>>>>>---------------------------(end of broadcast)---------------------------
> >>>>>>TIP 5: Have you checked our extensive FAQ?
> >>>>>>
> >>>>>>http://www.postgresql.org/users-lounge/docs/faq.html
> >>>>>>
> >>>>>>
> >>
> >
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
pgsql-jdbc by date: