Patch applied. Thanks. > I am sorry to keep going back and forth on this, but: > > The original patch is correct and does the proper thing. I should have > tested this before sounding the alarm. > > AccessController.doPrivileged() > > Propagates SecurityExceptions without wrapping them in a PrivilegedActionException >so it appears that there is not the possibility of a ClassCastException. > > David Daney. > > > Bruce Momjian wrote: > > >OK, patch removed from queue. > > > >>It is now unclear to me the the > >> > >>catch(PrivilegedActionException pae) > >> > >>part of the patch is correct. If a SecurityException is thrown in > >>Socket() (as might happen if the policy file did not give the proper > >>permissions), then it might be converted into a ClassCastException, > >>which is probably the wrong thing to do. > >> > >>Perhaps I should look into this a bit further. > >> > >>David Daney. > >> > >> > >>Bruce Momjian wrote: > >> > >>>Your patch has been added to the PostgreSQL unapplied patches list at: > >>> > >>> http://candle.pha.pa.us/cgi-bin/pgpatches > >>> > >>>I will try to apply it within the next 48 hours. > >>> > >>>>David Daney ([EMAIL PROTECTED]) reports a bug with a severity of 3 > >>>>The lower the number the more severe it is. > >>>> > >>>>Short Description > >>>>Another security issue with the JDBC driver. > >>>> > >>>>Long Description > >>>>The JDBC driver requires > >>>> > >>>> permission java.net.SocketPermission "host:port", "connect"; > >>>> > >>>>in the policy file of the application using the JDBC driver > >>>>in the postgresql.jar file. Since the Socket() call in the > >>>>driver is not protected by AccessController.doPrivileged() this > >>>>permission must also be granted to the entire application. > >>>> > >>>>The attached diff fixes it so that the connect permission can be > >>>>restricted just the the postgresql.jar codeBase if desired. > >>>> > >>>>Sample Code > >>>>*** PG_Stream.java.orig Fri Aug 24 09:27:40 2001 > >>>>--- PG_Stream.java Fri Aug 24 09:42:14 2001 > >>>>*************** > >>>>*** 5,10 **** > >>>>--- 5,11 ---- > >>>> import java.net.*; > >>>> import java.util.*; > >>>> import java.sql.*; > >>>>+ import java.security.*; > >>>> import org.postgresql.*; > >>>> import org.postgresql.core.*; > >>>> import org.postgresql.util.*; > >>>>*************** > >>>>*** 27,32 **** > >>>>--- 28,52 ---- > >>>> BytePoolDim1 bytePoolDim1 = new BytePoolDim1(); > >>>> BytePoolDim2 bytePoolDim2 = new BytePoolDim2(); > >>>> > >>>>+ private static class PrivilegedSocket > >>>>+ implements PrivilegedExceptionAction > >>>>+ { > >>>>+ private String host; > >>>>+ private int port; > >>>>+ > >>>>+ PrivilegedSocket(String host, int port) > >>>>+ { > >>>>+ this.host = host; > >>>>+ this.port = port; > >>>>+ } > >>>>+ > >>>>+ public Object run() throws Exception > >>>>+ { > >>>>+ return new Socket(host, port); > >>>>+ } > >>>>+ } > >>>>+ > >>>>+ > >>>> /** > >>>> * Constructor: Connect to the PostgreSQL back end and return > >>>> * a stream connection. > >>>>*************** > >>>>*** 37,43 **** > >>>> */ > >>>> public PG_Stream(String host, int port) throws IOException > >>>> { > >>>>! connection = new Socket(host, port); > >>>> > >>>> // Submitted by Jason Venner <[EMAIL PROTECTED]> adds a 10x speed > >>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack) > >>>>--- 57,69 ---- > >>>> */ > >>>> public PG_Stream(String host, int port) throws IOException > >>>> { > >>>>! PrivilegedSocket ps = new PrivilegedSocket(host, port); > >>>>! try { > >>>>! connection = (Socket)AccessController.doPrivileged(ps); > >>>>! } > >>>>! catch(PrivilegedActionException pae){ > >>>>! throw (IOException)pae.getException(); > >>>>! } > >>>> > >>>> // Submitted by Jason Venner <[EMAIL PROTECTED]> adds a 10x speed > >>>> // improvement on FreeBSD machines (caused by a bug in their TCP Stack) > >>>> > >>>> > >>>>No file was uploaded with this report > >>>> > >>>> > >>>>---------------------------(end of broadcast)--------------------------- > >>>>TIP 5: Have you checked our extensive FAQ? > >>>> > >>>>http://www.postgresql.org/users-lounge/docs/faq.html > >>>> > >> > > > > -- Bruce Momjian | http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
