public inbox for [email protected]  
help / color / mirror / Atom feed
From: Thomas Hallgren <[email protected]>
To: Tom Lane <[email protected]>
Cc: Kris Jurka <[email protected]>
Cc: [email protected]
Cc: Alvaro Herrera <[email protected]>
Cc: [email protected]
Subject: Re: Re: [Pljava-dev] Should creating a new base type require superuser status?
Date: Sun, 03 Aug 2008 08:11:53 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>

Tom Lane wrote:
>
>> This is a non-issue in PL/Java. An integer parameter is never passed by 
>> reference and there's no way the PL/Java user can get direct access to 
>> backend memory.
>>     
>
> So what exactly does happen when the user deliberately specifies wrong
> typlen/typbyval/typalign info when creating a type based on PL/Java
> functions?
>
>   
Everything is converted into instances of Java classes such as String, 
byte[], etc.

>> I think that assumption is without ground. Java doesn't permit you to 
>> access memory unless you use Java classes (java.nio stuff) that is 
>> explicitly designed to do that and you need native code to set such 
>> things up. A PL/Java user can not do that unless he is able to link in 
>> other shared objects or dll's to the backend process.
>>     
>
> PL/Java itself must be doing "unsafe" things in order to interface with
> PG at all.  So what your argument really is is that you have managed to
> securely sandbox the user-written code you are calling.  That might or
> might not be true, but I don't think that worrying about it is without
> foundation.
>
>   
I would be presumptuous to claim that I provide the sandbox. All PL/Java 
does is to provide the type mapping. The sandbox as such is implicit in 
Java, much in the same way that it does it for web-browsers etc.

Regardless of that, I think there's some difference in expressing a 
worry that might or might not have a foundation versus claiming that 
there indeed must be a security hole a mile wide ;-)

- thomas




view thread (21+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Re: [Pljava-dev] Should creating a new base type require superuser status?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox