Received: from localhost (unknown [200.46.204.183]) by postgresql.org (Postfix) with ESMTP id 8F4D16501FE for ; Sun, 3 Aug 2008 03:17:42 -0300 (ADT) Received: from postgresql.org ([200.46.204.86]) by localhost (mx1.hub.org [200.46.204.183]) (amavisd-maia, port 10024) with ESMTP id 98759-01-6 for ; Sun, 3 Aug 2008 03:17:34 -0300 (ADT) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from tada.se (1-1-2-48a.rny.sth.bostream.se [82.182.133.12]) by postgresql.org (Postfix) with ESMTP id 70B29650407 for ; Sun, 3 Aug 2008 03:12:00 -0300 (ADT) Received: from [10.59.1.70] (unverified [88.131.27.66]) by tada.se (SurgeMail 3.9e) with ESMTP id 166145-1788151 for multiple; Sun, 03 Aug 2008 08:11:57 +0200 Message-ID: <48954C29.8010604@tada.se> Date: Sun, 03 Aug 2008 08:11:53 +0200 From: Thomas Hallgren User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Tom Lane CC: Kris Jurka , pljava-dev@pgfoundry.org, Alvaro Herrera , pgsql-hackers@postgresql.org Subject: Re: Re: [Pljava-dev] Should creating a new base type require superuser status? References: <19715.1217447413@sss.pgh.pa.us> <20080730220753.GG3977@alvh.no-ip.org> <23846.1217539394@sss.pgh.pa.us> <48937589.10304@tada.se> <23725.1217626961@sss.pgh.pa.us> <48940239.8080401@tada.se> <4111.1217693570@sss.pgh.pa.us> In-Reply-To: <4111.1217693570@sss.pgh.pa.us> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: 88.131.27.66 X-Authenticated-User: thomas@tada.se X-Virus-Scanned: Maia Mailguard 1.0.1 X-Spam-Status: No, hits=0.1 tagged_above=0 required=5 tests=RDNS_DYNAMIC=0.1 X-Spam-Level: X-Archive-Number: 200808/69 X-Sequence-Number: 121823 Tom Lane wrote: > >> This is a non-issue in PL/Java. An integer parameter is never passed by >> reference and there's no way the PL/Java user can get direct access to >> backend memory. >> > > So what exactly does happen when the user deliberately specifies wrong > typlen/typbyval/typalign info when creating a type based on PL/Java > functions? > > Everything is converted into instances of Java classes such as String, byte[], etc. >> I think that assumption is without ground. Java doesn't permit you to >> access memory unless you use Java classes (java.nio stuff) that is >> explicitly designed to do that and you need native code to set such >> things up. A PL/Java user can not do that unless he is able to link in >> other shared objects or dll's to the backend process. >> > > PL/Java itself must be doing "unsafe" things in order to interface with > PG at all. So what your argument really is is that you have managed to > securely sandbox the user-written code you are calling. That might or > might not be true, but I don't think that worrying about it is without > foundation. > > I would be presumptuous to claim that I provide the sandbox. All PL/Java does is to provide the type mapping. The sandbox as such is implicit in Java, much in the same way that it does it for web-browsers etc. Regardless of that, I think there's some difference in expressing a worry that might or might not have a foundation versus claiming that there indeed must be a security hole a mile wide ;-) - thomas