We have removed ConnectionHook.java from the 7.2 release. It was considered an ill-advised feature. > David Daney ([EMAIL PROTECTED]) reports a bug with a severity of 3 > The lower the number the more severe it is. > > Short Description > JDBC driver security issue. > > Long Description > The JDBC driver requires > > permission java.lang.RuntimePermission "shutdownHooks"; > > in the policy file in order to function. However the driver does not protect the >shutdown hooks call in an AccessController.doPrivileged() call, so these permissions >must be granted to all code not just the postgres JDBC driver. > > > Sample Code > Here is a diff that fixes the problem. > > *** ConnectionHook.java.orig Mon Mar 5 01:17:43 2001 > --- ConnectionHook.java Thu Aug 23 16:51:49 2001 > *************** > *** 1,6 **** > --- 1,9 ---- > package org.postgresql.core; > > import java.sql.SQLException; > + import java.security.AccessController; > + import java.security.PrivilegedAction; > + > import java.util.ArrayList; > import java.util.Iterator; > import org.postgresql.Connection; > *************** > *** 51,57 **** > */ > private ConnectionHook() { > super(); > ! Runtime.getRuntime().addShutdownHook(new Thread(this)); > } > > /** > --- 54,65 ---- > */ > private ConnectionHook() { > super(); > ! AccessController.doPrivileged(new PrivilegedAction() { > ! public Object run() { > ! Runtime.getRuntime().addShutdownHook(new Thread(ConnectionHook.this)); > ! return null; // nothing to return > ! } > ! }); > } > > /** > > > No file was uploaded with this report > > > ---------------------------(end of broadcast)--------------------------- > TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED] > -- Bruce Momjian | http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])