Skip site navigation (1) Skip section navigation (2)

Re: [BUGS] Bug #428: Another security issue with the JDBC driver.

From: Barry Lind <barry(at)xythos(dot)com>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: David Daney <ddaney(at)avtrex(dot)com>, pgsql-bugs(at)postgresql(dot)org, PostgreSQL jdbc list <pgsql-jdbc(at)postgresql(dot)org>
Subject: Re: [BUGS] Bug #428: Another security issue with the JDBC driver.
Date: 2001-08-26 07:58:50
Message-ID: 3B88AC3A.4020604@xythos.com (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-jdbcpgsql-patches
Please pull this patch.  It breaks JDBC1 support.  The JDBC1 code no 
longer compiles, due to objects being referenced in this patch that do 
not exist in JDK1.1.

thanks,
--Barry


      [copy] Copying 1 file to 
/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql
      [echo] Configured build for the JDBC1 edition driver

compile:
     [javac] Compiling 38 source files to 
/home/blind/temp/pgsql/src/interfaces/jdbc/build
     [javac] 
/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:33: 
Interface org.postgresql.PrivilegedExceptionAction of nested class 
org.postgresql.PG_Stream. PrivilegedSocket not found.
     [javac]       implements PrivilegedExceptionAction
     [javac]                  ^
     [javac] 
/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:63: 
Undefined variable or class name: AccessController
     [javac]         connection = (Socket)AccessController.doPrivileged(ps);
     [javac]                              ^
     [javac] 
/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:65: 
Class org.postgresql.PrivilegedActionException not found in type 
declaration.
     [javac]      catch(PrivilegedActionException pae){
     [javac]            ^
     [javac] 3 errors

BUILD FAILED



Bruce Momjian wrote:
> Patch applied.  Thanks.
> 
> 
>>I am sorry to keep going back and forth on this, but:
>>
>>The original patch is correct and does the proper thing.  I should have 
>>tested this before sounding the alarm.
>>
>>AccessController.doPrivileged()
>>
>>Propagates SecurityExceptions without wrapping them in a PrivilegedActionException so it appears that there is not the possibility of a ClassCastException.
>>
>>David Daney.
>>
>>
>>Bruce Momjian wrote:
>>
>>
>>>OK, patch removed from queue.
>>>
>>>
>>>>It is now unclear to me the the
>>>>
>>>>catch(PrivilegedActionException pae)
>>>>
>>>>part of the patch is correct.  If a SecurityException is thrown in 
>>>>Socket() (as might happen if the policy file did not give the proper 
>>>>permissions), then it might be converted into a ClassCastException, 
>>>>which is probably the wrong thing to do.
>>>>
>>>>Perhaps I should look into this a bit further.
>>>>
>>>>David Daney.
>>>>
>>>>
>>>>Bruce Momjian wrote:
>>>>
>>>>
>>>>>Your patch has been added to the PostgreSQL unapplied patches list at:
>>>>>
>>>>>	http://candle.pha.pa.us/cgi-bin/pgpatches
>>>>>
>>>>>I will try to apply it within the next 48 hours.
>>>>>
>>>>>
>>>>>>David Daney (David(dot)Daney(at)avtrex(dot)com) reports a bug with a severity of 3
>>>>>>The lower the number the more severe it is.
>>>>>>
>>>>>>Short Description
>>>>>>Another security issue with the JDBC driver.
>>>>>>
>>>>>>Long Description
>>>>>>The JDBC driver requires
>>>>>>
>>>>>>permission java.net.SocketPermission "host:port", "connect";
>>>>>>
>>>>>>in the policy file of the application using the JDBC driver 
>>>>>>in the postgresql.jar file.  Since the Socket() call in the
>>>>>>driver is not protected by AccessController.doPrivileged() this
>>>>>>permission must also be granted to the entire application.
>>>>>>
>>>>>>The attached diff fixes it so that the connect permission can be
>>>>>>restricted just the the postgresql.jar codeBase if desired.
>>>>>>
>>>>>>Sample Code
>>>>>>*** PG_Stream.java.orig	Fri Aug 24 09:27:40 2001
>>>>>>--- PG_Stream.java	Fri Aug 24 09:42:14 2001
>>>>>>***************
>>>>>>*** 5,10 ****
>>>>>>--- 5,11 ----
>>>>>>import java.net.*;
>>>>>>import java.util.*;
>>>>>>import java.sql.*;
>>>>>>+ import java.security.*;
>>>>>>import org.postgresql.*;
>>>>>>import org.postgresql.core.*;
>>>>>>import org.postgresql.util.*;
>>>>>>***************
>>>>>>*** 27,32 ****
>>>>>>--- 28,52 ----
>>>>>>    BytePoolDim1 bytePoolDim1 = new BytePoolDim1();
>>>>>>    BytePoolDim2 bytePoolDim2 = new BytePoolDim2();
>>>>>>
>>>>>>+    private static class PrivilegedSocket
>>>>>>+       implements PrivilegedExceptionAction
>>>>>>+    {
>>>>>>+       private String host;
>>>>>>+       private int port;
>>>>>>+       
>>>>>>+       PrivilegedSocket(String host, int port)
>>>>>>+       {
>>>>>>+          this.host = host;
>>>>>>+          this.port = port;
>>>>>>+       }
>>>>>>+ 
>>>>>>+       public Object run() throws Exception
>>>>>>+       {
>>>>>>+          return new Socket(host, port);
>>>>>>+       }
>>>>>>+    }
>>>>>>+    
>>>>>>+ 
>>>>>>  /**
>>>>>>   * Constructor:  Connect to the PostgreSQL back end and return
>>>>>>   * a stream connection.
>>>>>>***************
>>>>>>*** 37,43 ****
>>>>>>   */
>>>>>>  public PG_Stream(String host, int port) throws IOException
>>>>>>  {
>>>>>>!     connection = new Socket(host, port);
>>>>>>
>>>>>>    // Submitted by Jason Venner <jason(at)idiom(dot)com> adds a 10x speed
>>>>>>    // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
>>>>>>--- 57,69 ----
>>>>>>   */
>>>>>>  public PG_Stream(String host, int port) throws IOException
>>>>>>  {
>>>>>>!      PrivilegedSocket ps = new PrivilegedSocket(host, port);
>>>>>>!      try {
>>>>>>!         connection = (Socket)AccessController.doPrivileged(ps);
>>>>>>!      }
>>>>>>!      catch(PrivilegedActionException pae){
>>>>>>!         throw (IOException)pae.getException();
>>>>>>!      }
>>>>>>
>>>>>>    // Submitted by Jason Venner <jason(at)idiom(dot)com> adds a 10x speed
>>>>>>    // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
>>>>>>
>>>>>>
>>>>>>No file was uploaded with this report
>>>>>>
>>>>>>
>>>>>>---------------------------(end of broadcast)---------------------------
>>>>>>TIP 5: Have you checked our extensive FAQ?
>>>>>>
>>>>>>http://www.postgresql.org/users-lounge/docs/faq.html
>>>>>>
>>>>>>
>>
> 



In response to

Responses

pgsql-jdbc by date

Next:From: Rene PijlmanDate: 2001-08-26 16:37:35
Subject: (fwd) What should Statement.executeBatch() do with an empty batch?
Previous:From: Bruce MomjianDate: 2001-08-26 01:06:25
Subject: Re: Bug #428: Another security issue with the JDBC driver.

pgsql-bugs by date

Next:From: Bruce MomjianDate: 2001-08-26 17:09:29
Subject: Re: [JDBC] Re: Bug #428: Another security issue with the JDBC driver.
Previous:From: Bruce MomjianDate: 2001-08-26 01:06:25
Subject: Re: Bug #428: Another security issue with the JDBC driver.

pgsql-patches by date

Next:From: Peter EisentrautDate: 2001-08-26 12:37:25
Subject: Re: Re: [PATCHES] Makefile.PL for Pg.so
Previous:From: Lamar OwenDate: 2001-08-26 05:05:09
Subject: Re: Re: [PATCHES] Makefile.PL for Pg.so

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group