Skip site navigation (1) Skip section navigation (2)

Re: Bug #424: JDBC driver security issue.

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: David(dot)Daney(at)avtrex(dot)com, pgsql-bugs(at)postgresql(dot)org
Cc: PostgreSQL jdbc list <pgsql-jdbc(at)postgresql(dot)org>
Subject: Re: Bug #424: JDBC driver security issue.
Date: 2001-08-26 00:19:20
Message-ID: 200108260019.f7Q0JKN13438@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-jdbc
We have removed ConnectionHook.java from the 7.2 release.  It was
considered an ill-advised feature.


> David Daney (David(dot)Daney(at)avtrex(dot)com) reports a bug with a severity of 3
> The lower the number the more severe it is.
> 
> Short Description
> JDBC driver security issue.
> 
> Long Description
> The JDBC driver requires 
> 
>    permission java.lang.RuntimePermission "shutdownHooks";
> 
> in the policy file in order to function.  However the driver does not protect the shutdown hooks call in an AccessController.doPrivileged() call, so these permissions must be granted to all code not just the postgres JDBC driver.
> 
> 
> Sample Code
> Here is a diff that fixes the problem.
> 
> *** ConnectionHook.java.orig	Mon Mar  5 01:17:43 2001
> --- ConnectionHook.java	Thu Aug 23 16:51:49 2001
> ***************
> *** 1,6 ****
> --- 1,9 ----
>   package org.postgresql.core;
>   
>   import java.sql.SQLException;
> + import java.security.AccessController;
> + import java.security.PrivilegedAction;
> + 
>   import java.util.ArrayList;
>   import java.util.Iterator;
>   import org.postgresql.Connection;
> ***************
> *** 51,57 ****
>      */
>     private ConnectionHook() {
>       super();
> !     Runtime.getRuntime().addShutdownHook(new Thread(this));
>     }
>   
>     /**
> --- 54,65 ----
>      */
>     private ConnectionHook() {
>       super();
> !     AccessController.doPrivileged(new PrivilegedAction() {
> !           public Object run() {
> !              Runtime.getRuntime().addShutdownHook(new Thread(ConnectionHook.this));
> !              return null; // nothing to return
> !           }
> !        });
>     }
>   
>     /**
> 
> 
> No file was uploaded with this report
> 
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo(at)postgresql(dot)org
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

In response to

pgsql-bugs by date

Next:From: Bruce MomjianDate: 2001-08-26 00:53:24
Subject: Re: JDBC patch (attempt#2) for util.Serialize and jdbc2.PreparedStatement
Previous:From: Tom LaneDate: 2001-08-25 13:57:35
Subject: Re: Re: Strange deadlock problem on simple concurrent SELECT/LOCK TABLE transactions

pgsql-jdbc by date

Next:From: Bruce MomjianDate: 2001-08-26 01:06:25
Subject: Re: Bug #428: Another security issue with the JDBC driver.
Previous:From: Bruce MomjianDate: 2001-08-25 21:09:00
Subject: Re: CVS compile problem

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group