| From: | pgsql-bugs(at)postgresql(dot)org |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Bug #428: Another security issue with the JDBC driver. |
| Date: | 2001-08-24 17:20:00 |
| Message-ID: | 200108241720.f7OHK0G17478@hub.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs pgsql-jdbc pgsql-patches |
David Daney (David(dot)Daney(at)avtrex(dot)com) reports a bug with a severity of 3
The lower the number the more severe it is.
Short Description
Another security issue with the JDBC driver.
Long Description
The JDBC driver requires
permission java.net.SocketPermission "host:port", "connect";
in the policy file of the application using the JDBC driver
in the postgresql.jar file. Since the Socket() call in the
driver is not protected by AccessController.doPrivileged() this
permission must also be granted to the entire application.
The attached diff fixes it so that the connect permission can be
restricted just the the postgresql.jar codeBase if desired.
Sample Code
*** PG_Stream.java.orig Fri Aug 24 09:27:40 2001
--- PG_Stream.java Fri Aug 24 09:42:14 2001
***************
*** 5,10 ****
--- 5,11 ----
import java.net.*;
import java.util.*;
import java.sql.*;
+ import java.security.*;
import org.postgresql.*;
import org.postgresql.core.*;
import org.postgresql.util.*;
***************
*** 27,32 ****
--- 28,52 ----
BytePoolDim1 bytePoolDim1 = new BytePoolDim1();
BytePoolDim2 bytePoolDim2 = new BytePoolDim2();
+ private static class PrivilegedSocket
+ implements PrivilegedExceptionAction
+ {
+ private String host;
+ private int port;
+
+ PrivilegedSocket(String host, int port)
+ {
+ this.host = host;
+ this.port = port;
+ }
+
+ public Object run() throws Exception
+ {
+ return new Socket(host, port);
+ }
+ }
+
+
/**
* Constructor: Connect to the PostgreSQL back end and return
* a stream connection.
***************
*** 37,43 ****
*/
public PG_Stream(String host, int port) throws IOException
{
! connection = new Socket(host, port);
// Submitted by Jason Venner <jason(at)idiom(dot)com> adds a 10x speed
// improvement on FreeBSD machines (caused by a bug in their TCP Stack)
--- 57,69 ----
*/
public PG_Stream(String host, int port) throws IOException
{
! PrivilegedSocket ps = new PrivilegedSocket(host, port);
! try {
! connection = (Socket)AccessController.doPrivileged(ps);
! }
! catch(PrivilegedActionException pae){
! throw (IOException)pae.getException();
! }
// Submitted by Jason Venner <jason(at)idiom(dot)com> adds a 10x speed
// improvement on FreeBSD machines (caused by a bug in their TCP Stack)
No file was uploaded with this report
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tomasz Zielonka | 2001-08-24 17:24:51 | Re: Strange deadlock problem on simple concurrent SELECT/LOCK TABLE transactions |
| Previous Message | Tomasz Zielonka | 2001-08-24 16:19:57 | Strange deadlock problem on simple concurrent SELECT/LOCK TABLE transactions |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ned Wolpert | 2001-08-24 18:12:23 | Re: Re: [JDBC] New backend functions? |
| Previous Message | Bruce Momjian | 2001-08-24 16:50:09 | Re: [PATCHES] patch for JDBC1 build problems |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2001-08-24 17:35:28 | Re: DROP CONSTRAINT (UNIQUE) preliminary support |
| Previous Message | Bruce Momjian | 2001-08-24 16:53:23 | Re: insert multiple rows attempt two |