Re: Bug #428: Another security issue with the JDBC driver.

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: David Daney <ddaney(at)avtrex(dot)com>
Cc: pgsql-bugs(at)postgresql(dot)org, PostgreSQL jdbc list <pgsql-jdbc(at)postgresql(dot)org>
Subject: Re: Bug #428: Another security issue with the JDBC driver.
Date: 2001-08-24 21:31:33
Message-ID: 200108242131.f7OLVXs04632@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs pgsql-jdbc pgsql-patches


OK, re-added.

> I am sorry to keep going back and forth on this, but:
>
> The original patch is correct and does the proper thing. I should have
> tested this before sounding the alarm.
>
> AccessController.doPrivileged()
>
> Propagates SecurityExceptions without wrapping them in a PrivilegedActionException so it appears that there is not the possibility of a ClassCastException.
>
> David Daney.
>
>
> Bruce Momjian wrote:
>
> >OK, patch removed from queue.
> >
> >>It is now unclear to me the the
> >>
> >>catch(PrivilegedActionException pae)
> >>
> >>part of the patch is correct. If a SecurityException is thrown in
> >>Socket() (as might happen if the policy file did not give the proper
> >>permissions), then it might be converted into a ClassCastException,
> >>which is probably the wrong thing to do.
> >>
> >>Perhaps I should look into this a bit further.
> >>
> >>David Daney.
> >>
> >>
> >>Bruce Momjian wrote:
> >>
> >>>Your patch has been added to the PostgreSQL unapplied patches list at:
> >>>
> >>> http://candle.pha.pa.us/cgi-bin/pgpatches
> >>>
> >>>I will try to apply it within the next 48 hours.
> >>>
> >>>>David Daney (David(dot)Daney(at)avtrex(dot)com) reports a bug with a severity of 3
> >>>>The lower the number the more severe it is.
> >>>>
> >>>>Short Description
> >>>>Another security issue with the JDBC driver.
> >>>>
> >>>>Long Description
> >>>>The JDBC driver requires
> >>>>
> >>>> permission java.net.SocketPermission "host:port", "connect";
> >>>>
> >>>>in the policy file of the application using the JDBC driver
> >>>>in the postgresql.jar file. Since the Socket() call in the
> >>>>driver is not protected by AccessController.doPrivileged() this
> >>>>permission must also be granted to the entire application.
> >>>>
> >>>>The attached diff fixes it so that the connect permission can be
> >>>>restricted just the the postgresql.jar codeBase if desired.
> >>>>
> >>>>Sample Code
> >>>>*** PG_Stream.java.orig Fri Aug 24 09:27:40 2001
> >>>>--- PG_Stream.java Fri Aug 24 09:42:14 2001
> >>>>***************
> >>>>*** 5,10 ****
> >>>>--- 5,11 ----
> >>>> import java.net.*;
> >>>> import java.util.*;
> >>>> import java.sql.*;
> >>>>+ import java.security.*;
> >>>> import org.postgresql.*;
> >>>> import org.postgresql.core.*;
> >>>> import org.postgresql.util.*;
> >>>>***************
> >>>>*** 27,32 ****
> >>>>--- 28,52 ----
> >>>> BytePoolDim1 bytePoolDim1 = new BytePoolDim1();
> >>>> BytePoolDim2 bytePoolDim2 = new BytePoolDim2();
> >>>>
> >>>>+ private static class PrivilegedSocket
> >>>>+ implements PrivilegedExceptionAction
> >>>>+ {
> >>>>+ private String host;
> >>>>+ private int port;
> >>>>+
> >>>>+ PrivilegedSocket(String host, int port)
> >>>>+ {
> >>>>+ this.host = host;
> >>>>+ this.port = port;
> >>>>+ }
> >>>>+
> >>>>+ public Object run() throws Exception
> >>>>+ {
> >>>>+ return new Socket(host, port);
> >>>>+ }
> >>>>+ }
> >>>>+
> >>>>+
> >>>> /**
> >>>> * Constructor: Connect to the PostgreSQL back end and return
> >>>> * a stream connection.
> >>>>***************
> >>>>*** 37,43 ****
> >>>> */
> >>>> public PG_Stream(String host, int port) throws IOException
> >>>> {
> >>>>! connection = new Socket(host, port);
> >>>>
> >>>> // Submitted by Jason Venner <jason(at)idiom(dot)com> adds a 10x speed
> >>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
> >>>>--- 57,69 ----
> >>>> */
> >>>> public PG_Stream(String host, int port) throws IOException
> >>>> {
> >>>>! PrivilegedSocket ps = new PrivilegedSocket(host, port);
> >>>>! try {
> >>>>! connection = (Socket)AccessController.doPrivileged(ps);
> >>>>! }
> >>>>! catch(PrivilegedActionException pae){
> >>>>! throw (IOException)pae.getException();
> >>>>! }
> >>>>
> >>>> // Submitted by Jason Venner <jason(at)idiom(dot)com> adds a 10x speed
> >>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack)
> >>>>
> >>>>
> >>>>No file was uploaded with this report
> >>>>
> >>>>
> >>>>---------------------------(end of broadcast)---------------------------
> >>>>TIP 5: Have you checked our extensive FAQ?
> >>>>
> >>>>http://www.postgresql.org/users-lounge/docs/faq.html
> >>>>
> >>
> >
>
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Peter Eisentraut 2001-08-24 22:22:00 Re: timestamps cannot be created without time zones
Previous Message David Daney 2001-08-24 21:25:44 Re: [BUGS] Bug #428: Another security issue with the JDBC driver.

Browse pgsql-jdbc by date

  From Date Subject
Next Message Rene Pijlman 2001-08-24 22:02:02 Re: JDBC changes for 7.2... some questions...
Previous Message David Daney 2001-08-24 21:25:44 Re: [BUGS] Bug #428: Another security issue with the JDBC driver.

Browse pgsql-patches by date

  From Date Subject
Next Message Tatsuo Ishii 2001-08-24 23:27:18 Re: Re: [PATCHES] encoding names
Previous Message David Daney 2001-08-24 21:25:44 Re: [BUGS] Bug #428: Another security issue with the JDBC driver.