Re: [JDBC] Re: Bug #428: Another security issue with the JDBC driver.

Sorry about that, things are never as easy as they seem. The answer
appears to be to filter PG_Stream.java in a similar manner as is done to
Driver.java

Attached please find two files.

1) diffs for build.xml.

2) PG_Stream.java.in

I hope this can now be put to bed.

David Daney.

Bruce Momjian wrote:

>Patch reversed. Please advise how to continue.
>
>>Please pull this patch. It breaks JDBC1 support. The JDBC1 code no
>>longer compiles, due to objects being referenced in this patch that do
>>not exist in JDK1.1.
>>
>>thanks,
>>--Barry
>>
>>
>> [copy] Copying 1 file to
>>/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql
>> [echo] Configured build for the JDBC1 edition driver
>>
>>compile:
>> [javac] Compiling 38 source files to
>>/home/blind/temp/pgsql/src/interfaces/jdbc/build
>> [javac]
>>/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:33:
>>Interface org.postgresql.PrivilegedExceptionAction of nested class
>>org.postgresql.PG_Stream. PrivilegedSocket not found.
>> [javac] implements PrivilegedExceptionAction
>> [javac] ^
>> [javac]
>>/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:63:
>>Undefined variable or class name: AccessController
>> [javac] connection = (Socket)AccessController.doPrivileged(ps);
>> [javac] ^
>> [javac]
>>/home/blind/temp/pgsql/src/interfaces/jdbc/org/postgresql/PG_Stream.java:65:
>>Class org.postgresql.PrivilegedActionException not found in type
>>declaration.
>> [javac] catch(PrivilegedActionException pae){
>> [javac] ^
>> [javac] 3 errors
>>
>>BUILD FAILED
>>
>>
>>
>>Bruce Momjian wrote:
>>
>>>Patch applied. Thanks.
>>>
>>>
>>>>I am sorry to keep going back and forth on this, but:
>>>>
>>>>The original patch is correct and does the proper thing. I should have
>>>>tested this before sounding the alarm.
>>>>
>>>>AccessController.doPrivileged()
>>>>
>>>>Propagates SecurityExceptions without wrapping them in a PrivilegedActionException so it appears that there is not the possibility of a ClassCastException.
>>>>
>>>>David Daney.
>>>>
>>>>
>>>>Bruce Momjian wrote:
>>>>
>>>>
>>>>>OK, patch removed from queue.
>>>>>
>>>>>
>>>>>>It is now unclear to me the the
>>>>>>
>>>>>>catch(PrivilegedActionException pae)
>>>>>>
>>>>>>part of the patch is correct. If a SecurityException is thrown in
>>>>>>Socket() (as might happen if the policy file did not give the proper
>>>>>>permissions), then it might be converted into a ClassCastException,
>>>>>>which is probably the wrong thing to do.
>>>>>>
>>>>>>Perhaps I should look into this a bit further.
>>>>>>
>>>>>>David Daney.
>>>>>>
>>>>>>
>>>>>>Bruce Momjian wrote:
>>>>>>
>>>>>>
>>>>>>>Your patch has been added to the PostgreSQL unapplied patches list at:
>>>>>>>
>>>>>>> http://candle.pha.pa.us/cgi-bin/pgpatches
>>>>>>>
>>>>>>>I will try to apply it within the next 48 hours.
>>>>>>>
>>>>>>>
>>>>>>>>David Daney (David(dot)Daney(at)avtrex(dot)com) reports a bug with a severity of 3
>>>>>>>>The lower the number the more severe it is.
>>>>>>>>
>>>>>>>>Short Description
>>>>>>>>Another security issue with the JDBC driver.
>>>>>>>>
>>>>>>>>Long Description
>>>>>>>>The JDBC driver requires
>>>>>>>>
>>>>>>>>permission java.net.SocketPermission "host:port", "connect";
>>>>>>>>
>>>>>>>>in the policy file of the application using the JDBC driver
>>>>>>>>in the postgresql.jar file. Since the Socket() call in the
>>>>>>>>driver is not protected by AccessController.doPrivileged() this
>>>>>>>>permission must also be granted to the entire application.
>>>>>>>>
>>>>>>>>The attached diff fixes it so that the connect permission can be
>>>>>>>>restricted just the the postgresql.jar codeBase if desired.
>>>>>>>>
>>>>>>>>Sample Code
>>>>>>>>*** PG_Stream.java.orig Fri Aug 24 09:27:40 2001
>>>>>>>>--- PG_Stream.java Fri Aug 24 09:42:14 2001
>>>>>>>>***************
>>>>>>>>*** 5,10 ****
>>>>>>>>--- 5,11 ----
>>>>>>>>import java.net.*;
>>>>>>>>import java.util.*;
>>>>>>>>import java.sql.*;
>>>>>>>>+ import java.security.*;
>>>>>>>>import org.postgresql.*;
>>>>>>>>import org.postgresql.core.*;
>>>>>>>>import org.postgresql.util.*;
>>>>>>>>***************
>>>>>>>>*** 27,32 ****
>>>>>>>>--- 28,52 ----
>>>>>>>> BytePoolDim1 bytePoolDim1 = new BytePoolDim1();
>>>>>>>> BytePoolDim2 bytePoolDim2 = new BytePoolDim2();
>>>>>>>>
>>>>>>>>+ private static class PrivilegedSocket
>>>>>>>>+ implements PrivilegedExceptionAction
>>>>>>>>+ {
>>>>>>>>+ private String host;
>>>>>>>>+ private int port;
>>>>>>>>+
>>>>>>>>+ PrivilegedSocket(String host, int port)
>>>>>>>>+ {
>>>>>>>>+ this.host = host;
>>>>>>>>+ this.port = port;
>>>>>>>>+ }
>>>>>>>>+
>>>>>>>>+ public Object run() throws Exception
>>>>>>>>+ {
>>>>>>>>+ return new Socket(host, port);
>>>>>>>>+ }
>>>>>>>>+ }
>>>>>>>>+
>>>>>>>>+
>>>>>>>> /**
>>>>>>>> * Constructor: Connect to the PostgreSQL back end and return
>>>>>>>> * a stream connection.
>>>>>>>>***************
>>>>>>>>*** 37,43 ****
>>>>>>>> */
>>>>>>>> public PG_Stream(String host, int port) throws IOException
>>>>>>>> {
>>>>>>>>! connection = new Socket(host, port);
>>>>>>>>
>>>>>>>> // Submitted by Jason Venner <jason(at)idiom(dot)com> adds a 10x speed
>>>>>>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
>>>>>>>>--- 57,69 ----
>>>>>>>> */
>>>>>>>> public PG_Stream(String host, int port) throws IOException
>>>>>>>> {
>>>>>>>>! PrivilegedSocket ps = new PrivilegedSocket(host, port);
>>>>>>>>! try {
>>>>>>>>! connection = (Socket)AccessController.doPrivileged(ps);
>>>>>>>>! }
>>>>>>>>! catch(PrivilegedActionException pae){
>>>>>>>>! throw (IOException)pae.getException();
>>>>>>>>! }
>>>>>>>>
>>>>>>>> // Submitted by Jason Venner <jason(at)idiom(dot)com> adds a 10x speed
>>>>>>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
>>>>>>>>
>>>>>>>>
>>>>>>>>No file was uploaded with this report
>>>>>>>>
>>>>>>>>
>>>>>>>>---------------------------(end of broadcast)---------------------------
>>>>>>>>TIP 5: Have you checked our extensive FAQ?
>>>>>>>>
>>>>>>>>http://www.postgresql.org/users-lounge/docs/faq.html
>>>>>>>>
>>>>>>>>
>>
>>
>>---------------------------(end of broadcast)---------------------------
>>TIP 5: Have you checked our extensive FAQ?
>>
>>http://www.postgresql.org/users-lounge/docs/faq.html
>>
>