Re: [Pljava-dev] [HACKERS] Re: Should creating a new base type require superuser status?
On Wed, 18 Feb 2009, Kris Jurka wrote: I have reviewed pljava's handling of misrepresented alignment, length, and by value parameters [and it doesn't all work.] I have fixed pljava to now correctly handle all of these being defined incorrectly. So a trusted language can be used to create type input and output functions safely. I think the restriction that only superusers can create types should be reverted. Kris Jurka -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [Pljava-dev] [HACKERS] Re: Should creating a new base type require superuser status?
Kris Jurka wrote:
Thomas Hallgren wrote:
Kris Jurka wrote:
3) By value: pljava does not correctly handle passed by value types
correctly, allowing access to random memory.
This is simply not true. There's no way a Java developer can access
random memory through PL/Java.
No, the point is that the Java developer can provide some data which
can convince postgresql to fetch random data for the user.
Consider the attached type which is simply an int4 equivalent.
Depending on how you define it as passed by value or passed by
reference it will or will not work (attached).
This looks like it works:
jurka=# select '1'::intbyref, '2'::intbyval;
intbyref | intbyval
--+--
1| 2
(1 row)
But it doesn't really:
jurka=# create table inttest (a intbyref, b intbyval);
CREATE TABLE
jurka=# insert into inttest values ('1', '2');
INSERT 0 1
jurka=# select * from inttest;
a | b
---+
1 | 2139062143
(1 row)
It seems the pointer is confused for the actual value which means that
writing the value back will corrupt the pointer. That's bad of course
but I would classify this as a bug rather then a general security problem.
PL/Java is designed to do handle all types securely and completely hide
the concept of 'by value' or 'by reference' from the Java developer
since such concepts are meaningless in Java.
- thomas
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Re: [Pljava-dev] [HACKERS] Re: Should creating a new base type require superuser status?
On Sat, 2 Aug 2008, Tom Lane wrote: So what exactly does happen when the user deliberately specifies wrong typlen/typbyval/typalign info when creating a type based on PL/Java functions? I have reviewed pljava's handling of misrepresented alignment, length, and by value parameters 1) Alignment: pljava reads and writes data a byte at a time, so all types effectively have char alignment. Reading an integer will read four bytes out of memory and then put those together. Therefore the alignment cannot be misspecified. 2) Length: For fixed length types, pljava correctly detects trying to read or write too much data and not supplying enough data on write. Pljava does not correctly handle variable length types. It should be setting and reading the length header itself rather than leaving that up to the user, but it is not. 3) By value: pljava does not correctly handle passed by value types correctly, allowing access to random memory. So yes, pljava has a security problem, but I still object to the statement that no PL can do this securely. I will work on fixing pljava, but I request the change for superuser requirement for type creation be reverted. The fact that no PL currently does it correctly is not a reason to prohibit a PL from doing it correctly. Kris Jurka -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [Pljava-dev] [HACKERS] Re: Should creating a new base type require superuser status?
Kris Jurka wrote: 3) By value: pljava does not correctly handle passed by value types correctly, allowing access to random memory. This is simply not true. There's no way a Java developer can access random memory through PL/Java. - thomas -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [Pljava-dev] [HACKERS] Re: Should creating a new base type require superuser status?
Thomas Hallgren wrote:
Kris Jurka wrote:
3) By value: pljava does not correctly handle passed by value types
correctly, allowing access to random memory.
This is simply not true. There's no way a Java developer can access
random memory through PL/Java.
No, the point is that the Java developer can provide some data which can
convince postgresql to fetch random data for the user.
Consider the attached type which is simply an int4 equivalent.
Depending on how you define it as passed by value or passed by reference
it will or will not work (attached).
This looks like it works:
jurka=# select '1'::intbyref, '2'::intbyval;
intbyref | intbyval
--+--
1| 2
(1 row)
But it doesn't really:
jurka=# create table inttest (a intbyref, b intbyval);
CREATE TABLE
jurka=# insert into inttest values ('1', '2');
INSERT 0 1
jurka=# select * from inttest;
a | b
---+
1 | 2139062143
(1 row)
You can also get:
jurka=# select * from inttest;
server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
Kris Jurka
package types;
import java.io.IOException;
import java.sql.SQLData;
import java.sql.SQLException;
import java.sql.SQLInput;
import java.sql.SQLOutput;
import java.util.logging.Logger;
public class Int implements SQLData
{
private static Logger s_logger = Logger.getAnonymousLogger();
private int m_i;
private String m_typeName;
public static Int parse(String input, String typeName) throws SQLException
{
try
{
int i = Integer.parseInt(input);
return new Int(i, typeName);
}
catch(NumberFormatException e)
{
throw new SQLException(e.getMessage());
}
}
public Int()
{
}
public Int(int i, String typeName)
{
m_i = i;
m_typeName = typeName;
}
public String getSQLTypeName()
{
return m_typeName;
}
public void readSQL(SQLInput stream, String typeName) throws SQLException
{
s_logger.info(typeName + from SQLInput);
m_i = stream.readInt();
m_typeName = typeName;
}
public void writeSQL(SQLOutput stream) throws SQLException
{
s_logger.info(m_typeName + to SQLOutput);
stream.writeInt(m_i);
}
public String toString()
{
s_logger.info(m_typeName + toString);
return Integer.toString(m_i);
}
}
CREATE TYPE intbyval;
CREATE FUNCTION intbyval_in(cstring)
RETURNS intbyval
AS 'UDT[types.Int] input'
LANGUAGE java IMMUTABLE STRICT;
CREATE FUNCTION intbyval_out(intbyval)
RETURNS cstring
AS 'UDT[types.Int] output'
LANGUAGE java IMMUTABLE STRICT;
CREATE FUNCTION intbyval_recv(internal)
RETURNS intbyval
AS 'UDT[types.Int] receive'
LANGUAGE java IMMUTABLE STRICT;
CREATE FUNCTION intbyval_send(intbyval)
RETURNS bytea
AS 'UDT[types.Int] send'
LANGUAGE java IMMUTABLE STRICT;
CREATE TYPE intbyval (
internallength = 4,
input = intbyval_in,
output = intbyval_out,
receive = intbyval_recv,
send = intbyval_send,
passedbyvalue
);
CREATE TYPE intbyref;
CREATE FUNCTION intbyref_in(cstring)
RETURNS intbyref
AS 'UDT[types.Int] input'
LANGUAGE java IMMUTABLE STRICT;
CREATE FUNCTION intbyref_out(intbyref)
RETURNS cstring
AS 'UDT[types.Int] output'
LANGUAGE java IMMUTABLE STRICT;
CREATE FUNCTION intbyref_recv(internal)
RETURNS intbyref
AS 'UDT[types.Int] receive'
LANGUAGE java IMMUTABLE STRICT;
CREATE FUNCTION intbyref_send(intbyref)
RETURNS bytea
AS 'UDT[types.Int] send'
LANGUAGE java IMMUTABLE STRICT;
CREATE TYPE intbyref (
internallength = 4,
input = intbyref_in,
output = intbyref_out,
receive = intbyref_recv,
send = intbyref_send
);
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
