Re: [BUGS] Bug #424: JDBC driver security issue.

Fri, 24 Aug 2001 08:47:43 -0700 


Your patch has been added to the PostgreSQL unapplied patches list at:

        http://candle.pha.pa.us/cgi-bin/pgpatches

I will try to apply it within the next 48 hours.

> David Daney ([EMAIL PROTECTED]) reports a bug with a severity of 3
> The lower the number the more severe it is.
> 
> Short Description
> JDBC driver security issue.
> 
> Long Description
> The JDBC driver requires 
> 
>    permission java.lang.RuntimePermission "shutdownHooks";
> 
> in the policy file in order to function.  However the driver does not protect the 
>shutdown hooks call in an AccessController.doPrivileged() call, so these permissions 
>must be granted to all code not just the postgres JDBC driver.
> 
> 
> Sample Code
> Here is a diff that fixes the problem.
> 
> *** ConnectionHook.java.orig  Mon Mar  5 01:17:43 2001
> --- ConnectionHook.java       Thu Aug 23 16:51:49 2001
> ***************
> *** 1,6 ****
> --- 1,9 ----
>   package org.postgresql.core;
>   
>   import java.sql.SQLException;
> + import java.security.AccessController;
> + import java.security.PrivilegedAction;
> + 
>   import java.util.ArrayList;
>   import java.util.Iterator;
>   import org.postgresql.Connection;
> ***************
> *** 51,57 ****
>      */
>     private ConnectionHook() {
>       super();
> !     Runtime.getRuntime().addShutdownHook(new Thread(this));
>     }
>   
>     /**
> --- 54,65 ----
>      */
>     private ConnectionHook() {
>       super();
> !     AccessController.doPrivileged(new PrivilegedAction() {
> !           public Object run() {
> !              Runtime.getRuntime().addShutdownHook(new Thread(ConnectionHook.this));
> !              return null; // nothing to return
> !           }
> !        });
>     }
>   
>     /**
> 
> 
> No file was uploaded with this report
> 
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  [EMAIL PROTECTED]               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly

Reply via email to