Bug #428: Another security issue with the JDBC driver.

From: pgsql-bugs(at)postgresql(dot)org
To: pgsql-bugs(at)postgresql(dot)org
Subject: Bug #428: Another security issue with the JDBC driver.
Date: 2001-08-24 17:20:00
Message-ID: 200108241720.f7OHK0G17478@hub.org
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: pgsql-bugs pgsql-jdbc pgsql-patches

David Daney (David(dot)Daney(at)avtrex(dot)com) reports a bug with a severity of 3
The lower the number the more severe it is.

Short Description
Another security issue with the JDBC driver.

Long Description
The JDBC driver requires

permission java.net.SocketPermission "host:port", "connect";

in the policy file of the application using the JDBC driver
in the postgresql.jar file. Since the Socket() call in the
driver is not protected by AccessController.doPrivileged() this
permission must also be granted to the entire application.

The attached diff fixes it so that the connect permission can be
restricted just the the postgresql.jar codeBase if desired.

Sample Code
*** PG_Stream.java.orig Fri Aug 24 09:27:40 2001
--- PG_Stream.java Fri Aug 24 09:42:14 2001
***************
*** 5,10 ****
--- 5,11 ----
import java.net.*;
import java.util.*;
import java.sql.*;
+ import java.security.*;
import org.postgresql.*;
import org.postgresql.core.*;
import org.postgresql.util.*;
***************
*** 27,32 ****
--- 28,52 ----
BytePoolDim1 bytePoolDim1 = new BytePoolDim1();
BytePoolDim2 bytePoolDim2 = new BytePoolDim2();

+ private static class PrivilegedSocket
+ implements PrivilegedExceptionAction
+ {
+ private String host;
+ private int port;
+
+ PrivilegedSocket(String host, int port)
+ {
+ this.host = host;
+ this.port = port;
+ }
+
+ public Object run() throws Exception
+ {
+ return new Socket(host, port);
+ }
+ }
+
+
/**
* Constructor: Connect to the PostgreSQL back end and return
* a stream connection.
***************
*** 37,43 ****
*/
public PG_Stream(String host, int port) throws IOException
{
! connection = new Socket(host, port);

// Submitted by Jason Venner <jason(at)idiom(dot)com> adds a 10x speed
// improvement on FreeBSD machines (caused by a bug in their TCP Stack)
--- 57,69 ----
*/
public PG_Stream(String host, int port) throws IOException
{
! PrivilegedSocket ps = new PrivilegedSocket(host, port);
! try {
! connection = (Socket)AccessController.doPrivileged(ps);
! }
! catch(PrivilegedActionException pae){
! throw (IOException)pae.getException();
! }

// Submitted by Jason Venner <jason(at)idiom(dot)com> adds a 10x speed
// improvement on FreeBSD machines (caused by a bug in their TCP Stack)

No file was uploaded with this report

Responses

Browse pgsql-jdbc by date

  From Date Subject
Next Message Ned Wolpert 2001-08-24 18:12:23 Re: Re: [JDBC] New backend functions?
Previous Message Bruce Momjian 2001-08-24 16:50:09 Re: [PATCHES] patch for JDBC1 build problems

Browse pgsql-bugs by date

  From Date Subject
Next Message Tomasz Zielonka 2001-08-24 17:24:51 Re: Strange deadlock problem on simple concurrent SELECT/LOCK TABLE transactions
Previous Message Tomasz Zielonka 2001-08-24 16:19:57 Strange deadlock problem on simple concurrent SELECT/LOCK TABLE transactions

Browse pgsql-patches by date

  From Date Subject
Next Message Bruce Momjian 2001-08-24 17:35:28 Re: DROP CONSTRAINT (UNIQUE) preliminary support
Previous Message Bruce Momjian 2001-08-24 16:53:23 Re: insert multiple rows attempt two