Re: [BUGS] Bug #428: Another security issue with the JDBC driver.

Please pull this patch. It breaks JDBC1 support. The JDBC1 code no
longer compiles, due to objects being referenced in this patch that do
not exist in JDK1.1.

thanks,
--Barry

[copy] Copying 1 file to
/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql
[echo] Configured build for the JDBC1 edition driver

compile:
[javac] Compiling 38 source files to
/home/blind/temp/pgsql/src/interfaces/jdbc/build
[javac]
/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:33:
Interface org.postgresql.PrivilegedExceptionAction of nested class
org.postgresql.PG_Stream. PrivilegedSocket not found.
[javac] implements PrivilegedExceptionAction
[javac] ^
[javac]
/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:63:
Undefined variable or class name: AccessController
[javac] connection = (Socket)AccessController.doPrivileged(ps);
[javac] ^
[javac]
/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:65:
Class org.postgresql.PrivilegedActionException not found in type
declaration.
[javac] catch(PrivilegedActionException pae){
[javac] ^
[javac] 3 errors

BUILD FAILED

Bruce Momjian wrote:
> Patch applied. Thanks.
>
>
>>I am sorry to keep going back and forth on this, but:
>>
>>The original patch is correct and does the proper thing. I should have
>>tested this before sounding the alarm.
>>
>>AccessController.doPrivileged()
>>
>>Propagates SecurityExceptions without wrapping them in a PrivilegedActionException so it appears that there is not the possibility of a ClassCastException.
>>
>>David Daney.
>>
>>
>>Bruce Momjian wrote:
>>
>>
>>>OK, patch removed from queue.
>>>
>>>
>>>>It is now unclear to me the the
>>>>
>>>>catch(PrivilegedActionException pae)
>>>>
>>>>part of the patch is correct. If a SecurityException is thrown in
>>>>Socket() (as might happen if the policy file did not give the proper
>>>>permissions), then it might be converted into a ClassCastException,
>>>>which is probably the wrong thing to do.
>>>>
>>>>Perhaps I should look into this a bit further.
>>>>
>>>>David Daney.
>>>>
>>>>
>>>>Bruce Momjian wrote:
>>>>
>>>>
>>>>>Your patch has been added to the PostgreSQL unapplied patches list at:
>>>>>
>>>>> http://candle.pha.pa.us/cgi-bin/pgpatches
>>>>>
>>>>>I will try to apply it within the next 48 hours.
>>>>>
>>>>>
>>>>>>David Daney (David(dot)Daney(at)avtrex(dot)com) reports a bug with a severity of 3
>>>>>>The lower the number the more severe it is.
>>>>>>
>>>>>>Short Description
>>>>>>Another security issue with the JDBC driver.
>>>>>>
>>>>>>Long Description
>>>>>>The JDBC driver requires
>>>>>>
>>>>>>permission java.net.SocketPermission "host:port", "connect";
>>>>>>
>>>>>>in the policy file of the application using the JDBC driver
>>>>>>in the postgresql.jar file. Since the Socket() call in the
>>>>>>driver is not protected by AccessController.doPrivileged() this
>>>>>>permission must also be granted to the entire application.
>>>>>>
>>>>>>The attached diff fixes it so that the connect permission can be
>>>>>>restricted just the the postgresql.jar codeBase if desired.
>>>>>>
>>>>>>Sample Code
>>>>>>*** PG_Stream.java.orig Fri Aug 24 09:27:40 2001
>>>>>>--- PG_Stream.java Fri Aug 24 09:42:14 2001
>>>>>>***************
>>>>>>*** 5,10 ****
>>>>>>--- 5,11 ----
>>>>>>import java.net.*;
>>>>>>import java.util.*;
>>>>>>import java.sql.*;
>>>>>>+ import java.security.*;
>>>>>>import org.postgresql.*;
>>>>>>import org.postgresql.core.*;
>>>>>>import org.postgresql.util.*;
>>>>>>***************
>>>>>>*** 27,32 ****
>>>>>>--- 28,52 ----
>>>>>> BytePoolDim1 bytePoolDim1 = new BytePoolDim1();
>>>>>> BytePoolDim2 bytePoolDim2 = new BytePoolDim2();
>>>>>>
>>>>>>+ private static class PrivilegedSocket
>>>>>>+ implements PrivilegedExceptionAction
>>>>>>+ {
>>>>>>+ private String host;
>>>>>>+ private int port;
>>>>>>+
>>>>>>+ PrivilegedSocket(String host, int port)
>>>>>>+ {
>>>>>>+ this.host = host;
>>>>>>+ this.port = port;
>>>>>>+ }
>>>>>>+
>>>>>>+ public Object run() throws Exception
>>>>>>+ {
>>>>>>+ return new Socket(host, port);
>>>>>>+ }
>>>>>>+ }
>>>>>>+
>>>>>>+
>>>>>> /**
>>>>>> * Constructor: Connect to the PostgreSQL back end and return
>>>>>> * a stream connection.
>>>>>>***************
>>>>>>*** 37,43 ****
>>>>>> */
>>>>>> public PG_Stream(String host, int port) throws IOException
>>>>>> {
>>>>>>! connection = new Socket(host, port);
>>>>>>
>>>>>> // Submitted by Jason Venner <jason(at)idiom(dot)com> adds a 10x speed
>>>>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
>>>>>>--- 57,69 ----
>>>>>> */
>>>>>> public PG_Stream(String host, int port) throws IOException
>>>>>> {
>>>>>>! PrivilegedSocket ps = new PrivilegedSocket(host, port);
>>>>>>! try {
>>>>>>! connection = (Socket)AccessController.doPrivileged(ps);
>>>>>>! }
>>>>>>! catch(PrivilegedActionException pae){
>>>>>>! throw (IOException)pae.getException();
>>>>>>! }
>>>>>>
>>>>>> // Submitted by Jason Venner <jason(at)idiom(dot)com> adds a 10x speed
>>>>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
>>>>>>
>>>>>>
>>>>>>No file was uploaded with this report
>>>>>>
>>>>>>
>>>>>>---------------------------(end of broadcast)---------------------------
>>>>>>TIP 5: Have you checked our extensive FAQ?
>>>>>>
>>>>>>http://www.postgresql.org/users-lounge/docs/faq.html
>>>>>>
>>>>>>
>>
>