Re: [Pljava-dev] [HACKERS] Re: Should creating a new base type require superuser status?
On Wed, 18 Feb 2009, Kris Jurka wrote: I have reviewed pljava's handling of misrepresented alignment, length, and by value parameters [and it doesn't all work.] I have fixed pljava to now correctly handle all of these being defined incorrectly. So a trusted language can be used to create type input and output functions safely. I think the restriction that only superusers can create types should be reverted. Kris Jurka -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [Pljava-dev] [HACKERS] Re: Should creating a new base type require superuser status?
Kris Jurka wrote: Thomas Hallgren wrote: Kris Jurka wrote: 3) By value: pljava does not correctly handle passed by value types correctly, allowing access to random memory. This is simply not true. There's no way a Java developer can access random memory through PL/Java. No, the point is that the Java developer can provide some data which can convince postgresql to fetch random data for the user. Consider the attached type which is simply an int4 equivalent. Depending on how you define it as passed by value or passed by reference it will or will not work (attached). This looks like it works: jurka=# select '1'::intbyref, '2'::intbyval; intbyref | intbyval --+-- 1| 2 (1 row) But it doesn't really: jurka=# create table inttest (a intbyref, b intbyval); CREATE TABLE jurka=# insert into inttest values ('1', '2'); INSERT 0 1 jurka=# select * from inttest; a | b ---+ 1 | 2139062143 (1 row) It seems the pointer is confused for the actual value which means that writing the value back will corrupt the pointer. That's bad of course but I would classify this as a bug rather then a general security problem. PL/Java is designed to do handle all types securely and completely hide the concept of 'by value' or 'by reference' from the Java developer since such concepts are meaningless in Java. - thomas -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [Pljava-dev] [HACKERS] Re: Should creating a new base type require superuser status?
On Sat, 2 Aug 2008, Tom Lane wrote: So what exactly does happen when the user deliberately specifies wrong typlen/typbyval/typalign info when creating a type based on PL/Java functions? I have reviewed pljava's handling of misrepresented alignment, length, and by value parameters 1) Alignment: pljava reads and writes data a byte at a time, so all types effectively have char alignment. Reading an integer will read four bytes out of memory and then put those together. Therefore the alignment cannot be misspecified. 2) Length: For fixed length types, pljava correctly detects trying to read or write too much data and not supplying enough data on write. Pljava does not correctly handle variable length types. It should be setting and reading the length header itself rather than leaving that up to the user, but it is not. 3) By value: pljava does not correctly handle passed by value types correctly, allowing access to random memory. So yes, pljava has a security problem, but I still object to the statement that no PL can do this securely. I will work on fixing pljava, but I request the change for superuser requirement for type creation be reverted. The fact that no PL currently does it correctly is not a reason to prohibit a PL from doing it correctly. Kris Jurka -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [Pljava-dev] [HACKERS] Re: Should creating a new base type require superuser status?
Kris Jurka wrote: 3) By value: pljava does not correctly handle passed by value types correctly, allowing access to random memory. This is simply not true. There's no way a Java developer can access random memory through PL/Java. - thomas -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [Pljava-dev] [HACKERS] Re: Should creating a new base type require superuser status?
Thomas Hallgren wrote: Kris Jurka wrote: 3) By value: pljava does not correctly handle passed by value types correctly, allowing access to random memory. This is simply not true. There's no way a Java developer can access random memory through PL/Java. No, the point is that the Java developer can provide some data which can convince postgresql to fetch random data for the user. Consider the attached type which is simply an int4 equivalent. Depending on how you define it as passed by value or passed by reference it will or will not work (attached). This looks like it works: jurka=# select '1'::intbyref, '2'::intbyval; intbyref | intbyval --+-- 1| 2 (1 row) But it doesn't really: jurka=# create table inttest (a intbyref, b intbyval); CREATE TABLE jurka=# insert into inttest values ('1', '2'); INSERT 0 1 jurka=# select * from inttest; a | b ---+ 1 | 2139062143 (1 row) You can also get: jurka=# select * from inttest; server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. Kris Jurka package types; import java.io.IOException; import java.sql.SQLData; import java.sql.SQLException; import java.sql.SQLInput; import java.sql.SQLOutput; import java.util.logging.Logger; public class Int implements SQLData { private static Logger s_logger = Logger.getAnonymousLogger(); private int m_i; private String m_typeName; public static Int parse(String input, String typeName) throws SQLException { try { int i = Integer.parseInt(input); return new Int(i, typeName); } catch(NumberFormatException e) { throw new SQLException(e.getMessage()); } } public Int() { } public Int(int i, String typeName) { m_i = i; m_typeName = typeName; } public String getSQLTypeName() { return m_typeName; } public void readSQL(SQLInput stream, String typeName) throws SQLException { s_logger.info(typeName + from SQLInput); m_i = stream.readInt(); m_typeName = typeName; } public void writeSQL(SQLOutput stream) throws SQLException { s_logger.info(m_typeName + to SQLOutput); stream.writeInt(m_i); } public String toString() { s_logger.info(m_typeName + toString); return Integer.toString(m_i); } } CREATE TYPE intbyval; CREATE FUNCTION intbyval_in(cstring) RETURNS intbyval AS 'UDT[types.Int] input' LANGUAGE java IMMUTABLE STRICT; CREATE FUNCTION intbyval_out(intbyval) RETURNS cstring AS 'UDT[types.Int] output' LANGUAGE java IMMUTABLE STRICT; CREATE FUNCTION intbyval_recv(internal) RETURNS intbyval AS 'UDT[types.Int] receive' LANGUAGE java IMMUTABLE STRICT; CREATE FUNCTION intbyval_send(intbyval) RETURNS bytea AS 'UDT[types.Int] send' LANGUAGE java IMMUTABLE STRICT; CREATE TYPE intbyval ( internallength = 4, input = intbyval_in, output = intbyval_out, receive = intbyval_recv, send = intbyval_send, passedbyvalue ); CREATE TYPE intbyref; CREATE FUNCTION intbyref_in(cstring) RETURNS intbyref AS 'UDT[types.Int] input' LANGUAGE java IMMUTABLE STRICT; CREATE FUNCTION intbyref_out(intbyref) RETURNS cstring AS 'UDT[types.Int] output' LANGUAGE java IMMUTABLE STRICT; CREATE FUNCTION intbyref_recv(internal) RETURNS intbyref AS 'UDT[types.Int] receive' LANGUAGE java IMMUTABLE STRICT; CREATE FUNCTION intbyref_send(intbyref) RETURNS bytea AS 'UDT[types.Int] send' LANGUAGE java IMMUTABLE STRICT; CREATE TYPE intbyref ( internallength = 4, input = intbyref_in, output = intbyref_out, receive = intbyref_recv, send = intbyref_send ); -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers