Bug #424: JDBC driver security issue.

David Daney (David.Daney@avtrex.com) reports a bug with a severity of 3
The lower the number the more severe it is.

Short Description
JDBC driver security issue.

Long Description
The JDBC driver requires

   permission java.lang.RuntimePermission "shutdownHooks";

in the policy file in order to function.  However the driver does not protect the shutdown hooks call in an
AccessController.doPrivileged()call, so these permissions must be granted to all code not just the postgres JDBC
driver.


Sample Code
Here is a diff that fixes the problem.

*** ConnectionHook.java.orig    Mon Mar  5 01:17:43 2001
--- ConnectionHook.java    Thu Aug 23 16:51:49 2001
***************
*** 1,6 ****
--- 1,9 ----
  package org.postgresql.core;

  import java.sql.SQLException;
+ import java.security.AccessController;
+ import java.security.PrivilegedAction;
+
  import java.util.ArrayList;
  import java.util.Iterator;
  import org.postgresql.Connection;
***************
*** 51,57 ****
     */
    private ConnectionHook() {
      super();
!     Runtime.getRuntime().addShutdownHook(new Thread(this));
    }

    /**
--- 54,65 ----
     */
    private ConnectionHook() {
      super();
!     AccessController.doPrivileged(new PrivilegedAction() {
!           public Object run() {
!              Runtime.getRuntime().addShutdownHook(new Thread(ConnectionHook.this));
!              return null; // nothing to return
!           }
!        });
    }

    /**


No file was uploaded with this report