Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
home:dirkmueller:acdc:as_python3_module
postgresql-jdbc.26193
CVE-2022-26520.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2022-26520.patch of Package postgresql-jdbc.26193
From f6d47034a4ce292e1a659fa00963f6f713117064 Mon Sep 17 00:00:00 2001 From: Sehrope Sarkuni <sehrope@jackdb.com> Date: Tue, 15 Feb 2022 09:51:56 -0500 Subject: [PATCH] Merge pull request from GHSA-673j-qm5f-xpv8 Removes loggerFile and loggerLevel properties and defers to java.util.logging to configure all logging in the driver. Users that previously specifyied custom logging via those connection properties should change their applications to instead configure via a java.util.logging properties file or system properties. The properties and enum values are now deprecated and may be removed in a future driver version. Co-authored-by: Dave Cramer <davecramer@gmail.com> --- README.md | 7 +- docs/documentation/head/connect.md | 12 +-- .../src/main/java/org/postgresql/Driver.java | 74 +----------------- .../main/java/org/postgresql/PGProperty.java | 22 +----- .../postgresql/ds/common/BaseDataSource.java | 20 +++-- .../org/postgresql/test/jdbc2/DriverTest.java | 67 ---------------- .../postgresql/test/jdbc2/PGPropertyTest.java | 10 --- .../postgresql/test/jdbc4/Jdbc4TestSuite.java | 1 - .../org/postgresql/test/jdbc4/LogTest.java | 78 ------------------- 9 files changed, 28 insertions(+), 263 deletions(-) delete mode 100644 pgjdbc/src/test/java/org/postgresql/test/jdbc4/LogTest.java Index: postgresql-42.2.25-jdbc-src/README.md =================================================================== --- postgresql-42.2.25-jdbc-src.orig/README.md +++ postgresql-42.2.25-jdbc-src/README.md @@ -103,6 +103,11 @@ where: * **database** (Optional) is the database name. Defaults to the same name as the *user name* used in the connection. * **propertyX** (Optional) is one or more option connection properties. For more information see *Connection properties*. +### Logging +PgJDBC uses java.util.logging for logging. +To configure log levels and control log output destination (e.g. file or console), configure your java.util.logging properties accordingly for the org.postgresql logger. +Note that the most detailed log levels, "`FINEST`", may include sensitive information such as connection details, query SQL, or command parameters. + #### Connection Properties In addition to the standard connection parameters the driver supports a number of additional properties which can be used to specify additional driver behaviour specific to PostgreSQLâ„¢. These properties may be specified in either the connection URL or an additional Properties object parameter to DriverManager.getConnection. @@ -123,8 +128,6 @@ In addition to the standard connection p | sslpassword | String | null | The password for the client's ssl key (ignored if sslpasswordcallback is set) | | sendBufferSize | Integer | -1 | Socket write buffer size | | receiveBufferSize | Integer | -1 | Socket read buffer size | -| loggerLevel | String | null | Logger level of the driver using java.util.logging. Allowed values: OFF, DEBUG or TRACE. | -| loggerFile | String | null | File name output of the Logger, if set, the Logger will use a FileHandler to write to a specified file. If the parameter is not set or the file can't be created the ConsoleHandler will be used instead. | | logServerErrorDetail | Boolean | true | Allows server error detail (such as sql statements and values) to be logged and passed on in exceptions. Setting to false will mask these errors so they won't be exposed to users, or logs. | | allowEncodingChanges | Boolean | false | Allow for changes in client_encoding | | logUnclosedConnections | Boolean | false | When connections that are not explicitly closed are garbage collected, log the stacktrace from the opening of the connection to trace the leak source | Index: postgresql-42.2.25-jdbc-src/src/main/java/org/postgresql/Driver.java =================================================================== --- postgresql-42.2.25-jdbc-src.orig/src/main/java/org/postgresql/Driver.java +++ postgresql-42.2.25-jdbc-src/src/main/java/org/postgresql/Driver.java @@ -9,10 +9,8 @@ import static org.postgresql.util.intern import org.postgresql.jdbc.PgConnection; import org.postgresql.util.DriverInfo; -import org.postgresql.util.ExpressionProperties; import org.postgresql.util.GT; import org.postgresql.util.HostSpec; -import org.postgresql.util.LogWriterHandler; import org.postgresql.util.PSQLException; import org.postgresql.util.PSQLState; import org.postgresql.util.SharedTimer; @@ -36,11 +34,8 @@ import java.util.Enumeration; import java.util.Properties; import java.util.Set; import java.util.concurrent.TimeUnit; -import java.util.logging.Formatter; import java.util.logging.Level; import java.util.logging.Logger; -import java.util.logging.SimpleFormatter; -import java.util.logging.StreamHandler; /** * <p>The Java SQL framework allows for multiple database drivers. Each driver should supply a class @@ -246,8 +241,6 @@ public class Driver implements java.sql. return null; } try { - // Setup java.util.logging.Logger using connection properties. - setupLoggerFromProperties(props); LOGGER.log(Level.FINE, "Connecting with URL: {0}", url); @@ -288,73 +281,13 @@ public class Driver implements java.sql. } } - // Used to check if the handler file is the same - private static /* @Nullable */ String loggerHandlerFile; - /** - * <p>Setup java.util.logging.Logger using connection properties.</p> - * - * <p>See {@link PGProperty#LOGGER_FILE} and {@link PGProperty#LOGGER_FILE}</p> - * + * this is an empty method left here for graalvm + * we removed the ability to setup the logger from properties + * due to a security issue * @param props Connection Properties */ private void setupLoggerFromProperties(final Properties props) { - final String driverLogLevel = PGProperty.LOGGER_LEVEL.get(props); - if (driverLogLevel == null) { - return; // Don't mess with Logger if not set - } - if ("OFF".equalsIgnoreCase(driverLogLevel)) { - PARENT_LOGGER.setLevel(Level.OFF); - return; // Don't mess with Logger if set to OFF - } else if ("DEBUG".equalsIgnoreCase(driverLogLevel)) { - PARENT_LOGGER.setLevel(Level.FINE); - } else if ("TRACE".equalsIgnoreCase(driverLogLevel)) { - PARENT_LOGGER.setLevel(Level.FINEST); - } - - ExpressionProperties exprProps = new ExpressionProperties(props, System.getProperties()); - final String driverLogFile = PGProperty.LOGGER_FILE.get(exprProps); - if (driverLogFile != null && driverLogFile.equals(loggerHandlerFile)) { - return; // Same file output, do nothing. - } - - for (java.util.logging.Handler handlers : PARENT_LOGGER.getHandlers()) { - // Remove previously set Handlers - handlers.close(); - PARENT_LOGGER.removeHandler(handlers); - loggerHandlerFile = null; - } - - java.util.logging.Handler handler = null; - if (driverLogFile != null) { - try { - handler = new java.util.logging.FileHandler(driverLogFile); - loggerHandlerFile = driverLogFile; - } catch (Exception ex) { - System.err.println("Cannot enable FileHandler, fallback to ConsoleHandler."); - } - } - - Formatter formatter = new SimpleFormatter(); - - if ( handler == null ) { - if (DriverManager.getLogWriter() != null) { - handler = new LogWriterHandler(DriverManager.getLogWriter()); - } else if ( DriverManager.getLogStream() != null) { - handler = new StreamHandler(DriverManager.getLogStream(), formatter); - } else { - handler = new StreamHandler(System.err, formatter); - } - } else { - handler.setFormatter(formatter); - } - - Level loggerLevel = PARENT_LOGGER.getLevel(); - if (loggerLevel != null) { - handler.setLevel(loggerLevel); - } - PARENT_LOGGER.setUseParentHandlers(false); - PARENT_LOGGER.addHandler(handler); } /** Index: postgresql-42.2.25-jdbc-src/src/main/java/org/postgresql/PGProperty.java =================================================================== --- postgresql-42.2.25-jdbc-src.orig/src/main/java/org/postgresql/PGProperty.java +++ postgresql-42.2.25-jdbc-src/src/main/java/org/postgresql/PGProperty.java @@ -252,11 +252,8 @@ public enum PGProperty { "If disabled hosts are connected in the given order. If enabled hosts are chosen randomly from the set of suitable candidates"), /** - * <p>File name output of the Logger, if set, the Logger will use a - * {@link java.util.logging.FileHandler} to write to a specified file. If the parameter is not set - * or the file can't be created the {@link java.util.logging.ConsoleHandler} will be used instead.</p> - * - * <p>Parameter should be use together with {@link PGProperty#LOGGER_LEVEL}</p> + * This property is no longer used by the driver and will be ignored. + * Logging is configured via java.util.logging. */ LOGGER_FILE( "loggerFile", @@ -264,19 +261,8 @@ public enum PGProperty { "File name output of the Logger"), /** - * <p>Logger level of the driver. Allowed values: {@code OFF}, {@code DEBUG} or {@code TRACE}.</p> - * - * <p>This enable the {@link java.util.logging.Logger} of the driver based on the following mapping - * of levels:</p> - * <ul> - * <li>FINE -> DEBUG</li> - * <li>FINEST -> TRACE</li> - * </ul> - * - * <p><b>NOTE:</b> The recommended approach to enable java.util.logging is using a - * {@code logging.properties} configuration file with the property - * {@code -Djava.util.logging.config.file=myfile} or if your are using an application server - * you should use the appropriate logging subsystem.</p> + * This property is no longer used by the driver and will be ignored. + * Logging is configured via java.util.logging. */ LOGGER_LEVEL( "loggerLevel", Index: postgresql-42.2.25-jdbc-src/src/main/java/org/postgresql/ds/common/BaseDataSource.java =================================================================== --- postgresql-42.2.25-jdbc-src.orig/src/main/java/org/postgresql/ds/common/BaseDataSource.java +++ postgresql-42.2.25-jdbc-src/src/main/java/org/postgresql/ds/common/BaseDataSource.java @@ -1176,34 +1176,38 @@ public abstract class BaseDataSource imp } /** - * @return Logger Level of the JDBC Driver - * @see PGProperty#LOGGER_LEVEL + * This property is no longer used by the driver and will be ignored. + * @deprecated Configure via java.util.logging */ + @Deprecated public /* @Nullable */ String getLoggerLevel() { return PGProperty.LOGGER_LEVEL.get(properties); } /** - * @param loggerLevel of the JDBC Driver - * @see PGProperty#LOGGER_LEVEL + * This property is no longer used by the driver and will be ignored. + * @deprecated Configure via java.util.logging */ + @Deprecated public void setLoggerLevel(/* @Nullable */ String loggerLevel) { PGProperty.LOGGER_LEVEL.set(properties, loggerLevel); } /** - * @return File output of the Logger. - * @see PGProperty#LOGGER_FILE + * This property is no longer used by the driver and will be ignored. + * @deprecated Configure via java.util.logging */ + @Deprecated public /* @Nullable */ String getLoggerFile() { ExpressionProperties exprProps = new ExpressionProperties(properties, System.getProperties()); return PGProperty.LOGGER_FILE.get(exprProps); } /** - * @param loggerFile File output of the Logger. - * @see PGProperty#LOGGER_LEVEL + * This property is no longer used by the driver and will be ignored. + * @deprecated Configure via java.util.logging */ + @Deprecated public void setLoggerFile(/* @Nullable */ String loggerFile) { PGProperty.LOGGER_FILE.set(properties, loggerFile); } Index: postgresql-42.2.25-jdbc-src/src/test/java/org/postgresql/test/jdbc2/DriverTest.java =================================================================== --- postgresql-42.2.25-jdbc-src.orig/src/test/java/org/postgresql/test/jdbc2/DriverTest.java +++ postgresql-42.2.25-jdbc-src/src/test/java/org/postgresql/test/jdbc2/DriverTest.java @@ -15,13 +15,10 @@ import static org.junit.Assert.fail; import org.postgresql.Driver; import org.postgresql.PGProperty; import org.postgresql.test.TestUtil; -import org.postgresql.util.LogWriterHandler; -import org.postgresql.util.NullOutputStream; import org.postgresql.util.URLCoder; import org.junit.Test; -import java.io.PrintWriter; import java.lang.reflect.Method; import java.sql.Connection; import java.sql.DriverManager; @@ -29,8 +26,6 @@ import java.sql.SQLException; import java.util.ArrayList; import java.util.Collections; import java.util.Properties; -import java.util.logging.Handler; -import java.util.logging.Logger; /* * Tests the dynamically created class org.postgresql.Driver @@ -213,68 +208,6 @@ public class DriverTest { fail("Driver has not been found in DriverManager's list but it should be registered"); } - @Test - public void testSetLogWriter() throws Exception { - - // this is a dummy to make sure TestUtil is initialized - Connection con = DriverManager.getConnection(TestUtil.getURL(), TestUtil.getUser(), TestUtil.getPassword()); - con.close(); - String loggerLevel = System.getProperty("loggerLevel"); - String loggerFile = System.getProperty("loggerFile"); - - PrintWriter prevLog = DriverManager.getLogWriter(); - try { - PrintWriter printWriter = new PrintWriter(new NullOutputStream(System.err)); - DriverManager.setLogWriter(printWriter); - assertEquals(DriverManager.getLogWriter(), printWriter); - System.clearProperty("loggerFile"); - System.clearProperty("loggerLevel"); - Properties props = new Properties(); - props.setProperty("user", TestUtil.getUser()); - props.setProperty("password", TestUtil.getPassword()); - props.setProperty("loggerLevel", "DEBUG"); - con = DriverManager.getConnection(TestUtil.getURL(), props); - - Logger logger = Logger.getLogger("org.postgresql"); - Handler[] handlers = logger.getHandlers(); - assertTrue(handlers[0] instanceof LogWriterHandler ); - con.close(); - } finally { - DriverManager.setLogWriter(prevLog); - setProperty("loggerLevel", loggerLevel); - setProperty("loggerFile", loggerFile); - } - } - - @Test - public void testSetLogStream() throws Exception { - // this is a dummy to make sure TestUtil is initialized - Connection con = DriverManager.getConnection(TestUtil.getURL(), TestUtil.getUser(), TestUtil.getPassword()); - con.close(); - String loggerLevel = System.getProperty("loggerLevel"); - String loggerFile = System.getProperty("loggerFile"); - - try { - DriverManager.setLogStream(new NullOutputStream(System.err)); - System.clearProperty("loggerFile"); - System.clearProperty("loggerLevel"); - Properties props = new Properties(); - props.setProperty("user", TestUtil.getUser()); - props.setProperty("password", TestUtil.getPassword()); - props.setProperty("loggerLevel", "DEBUG"); - con = DriverManager.getConnection(TestUtil.getURL(), props); - - Logger logger = Logger.getLogger("org.postgresql"); - Handler []handlers = logger.getHandlers(); - assertTrue( handlers[0] instanceof LogWriterHandler ); - con.close(); - } finally { - DriverManager.setLogStream(null); - setProperty("loggerLevel", loggerLevel); - setProperty("loggerFile", loggerFile); - } - } - private void setProperty(String key, String value) { if (value == null) { System.clearProperty(key); Index: postgresql-42.2.25-jdbc-src/src/test/java/org/postgresql/test/jdbc2/PGPropertyTest.java =================================================================== --- postgresql-42.2.25-jdbc-src.orig/src/test/java/org/postgresql/test/jdbc2/PGPropertyTest.java +++ postgresql-42.2.25-jdbc-src/src/test/java/org/postgresql/test/jdbc2/PGPropertyTest.java @@ -8,7 +8,6 @@ package org.postgresql.test.jdbc2; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; @@ -216,15 +215,6 @@ public class PGPropertyTest { } @Test - public void testNullValue() { - Properties empty = new Properties(); - assertNull(PGProperty.LOGGER_LEVEL.getSetString(empty)); - Properties withLogging = new Properties(); - withLogging.setProperty(PGProperty.LOGGER_LEVEL.getName(), "OFF"); - assertNotNull(PGProperty.LOGGER_LEVEL.getSetString(withLogging)); - } - - @Test public void testEncodedUrlValues() { String databaseName = "d&a%ta+base"; String userName = "&u%ser"; Index: postgresql-42.2.25-jdbc-src/src/test/java/org/postgresql/test/jdbc4/LogTest.java =================================================================== --- postgresql-42.2.25-jdbc-src.orig/src/test/java/org/postgresql/test/jdbc4/LogTest.java +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 2007, PostgreSQL Global Development Group - * See the LICENSE file in the project root for more information. - */ - -package org.postgresql.test.jdbc4; - -import org.postgresql.PGProperty; -import org.postgresql.test.TestUtil; -import org.postgresql.test.jdbc2.BaseTest4; - -import org.junit.Assert; -import org.junit.Assume; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.Parameterized; - -import java.sql.Array; -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Properties; - -@RunWith(Parameterized.class) -public class LogTest extends BaseTest4 { - - private String oldLevel; - - public LogTest(BinaryMode binaryMode) { - setBinaryMode(binaryMode); - long maxMemory = Runtime.getRuntime().maxMemory(); - if (maxMemory < 6L * 1024 * 1024 * 1024) { - // TODO: add hamcrest matches and replace with "greaterThan" or something like that - Assume.assumeTrue( - "The test requires -Xmx6g or more. MaxMemory is " + (maxMemory / 1024.0 / 1024) + " MiB", - false); - } - } - - @Parameterized.Parameters(name = "binary = {0}") - public static Iterable<Object[]> data() { - Collection<Object[]> ids = new ArrayList<Object[]>(); - for (BinaryMode binaryMode : BinaryMode.values()) { - ids.add(new Object[]{binaryMode}); - } - return ids; - } - - @Override - protected void updateProperties(Properties props) { - super.updateProperties(props); - PGProperty.LOGGER_LEVEL.set(props, "TRACE"); - } - - @Test - public void reallyLargeArgumentsBreaksLogging() throws SQLException { - String[] largeInput = new String[220]; - String largeString = String.format("%1048576s", " "); - for (int i = 0; i < largeInput.length; i++) { - largeInput[i] = largeString; - } - Array arr = con.createArrayOf("text", largeInput); - PreparedStatement ps = con.prepareStatement("select t from unnest(?::text[]) t"); - ps.setArray(1, arr); - ResultSet rs = ps.executeQuery(); - int x = 0; - while (rs.next()) { - x += 1; - String found = rs.getString(1); - Assert.assertEquals(largeString, found); - } - Assert.assertEquals(largeInput.length, x); - TestUtil.closeQuietly(rs); - TestUtil.closeQuietly(ps); - } -}
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
