From: Markus Koschany Date: Sun, 3 Jul 2022 18:04:33 +0200 Subject: CVE-2022-26520 Origin: https://github.com/pgjdbc/pgjdbc/commit/f6d47034a4ce292e1a659fa00963f6f713117064 --- README.md | 7 +- docs/documentation/head/connect.md | 12 ++-- pgjdbc/src/main/java/org/postgresql/Driver.java | 69 +------------------ .../src/main/java/org/postgresql/PGProperty.java | 22 ++---- .../org/postgresql/ds/common/BaseDataSource.java | 20 +++--- .../java/org/postgresql/test/jdbc2/DriverTest.java | 73 -------------------- .../org/postgresql/test/jdbc2/PGPropertyTest.java | 10 --- .../java/org/postgresql/test/jdbc4/LogTest.java | 78 ---------------------- 8 files changed, 28 insertions(+), 263 deletions(-) delete mode 100644 pgjdbc/src/test/java/org/postgresql/test/jdbc4/LogTest.java diff --git a/README.md b/README.md index ce63ac2..e22a8b9 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,11 @@ where: * **database** (Optional) is the database name. Defaults to the same name as the *user name* used in the connection. * **propertyX** (Optional) is one or more option connection properties. For more information see *Connection properties*. +### Logging +PgJDBC uses java.util.logging for logging. +To configure log levels and control log output destination (e.g. file or console), configure your java.util.logging properties accordingly for the org.postgresql logger. +Note that the most detailed log levels, "`FINEST`", may include sensitive information such as connection details, query SQL, or command parameters. + #### Connection Properties In addition to the standard connection parameters the driver supports a number of additional properties which can be used to specify additional driver behaviour specific to PostgreSQL™. These properties may be specified in either the connection URL or an additional Properties object parameter to DriverManager.getConnection. @@ -121,8 +126,6 @@ In addition to the standard connection parameters the driver supports a number o | sslpassword | String | null | The password for the client's ssl key (ignored if sslpasswordcallback is set) | | sendBufferSize | Integer | -1 | Socket write buffer size | | recvBufferSize | Integer | -1 | Socket read buffer size | -| loggerLevel | String | null | Logger level of the driver using java.util.logging. Allowed values: OFF, DEBUG or TRACE. | -| loggerFile | String | null | File name output of the Logger, if set, the Logger will use a FileHandler to write to a specified file. If the parameter is not set or the file can't be created the ConsoleHandler will be used instead. | | allowEncodingChanges | Boolean | false | Allow for changes in client_encoding | | logUnclosedConnections | Boolean | false | When connections that are not explicitly closed are garbage collected, log the stacktrace from the opening of the connection to trace the leak source | | binaryTransferEnable | String | "" | Comma separated list of types to enable binary transfer. Either OID numbers or names | diff --git a/docs/documentation/head/connect.md b/docs/documentation/head/connect.md index 106f3ca..03ab058 100644 --- a/docs/documentation/head/connect.md +++ b/docs/documentation/head/connect.md @@ -145,17 +145,13 @@ Connection conn = DriverManager.getConnection(url); * **loggerLevel** = String - Logger level of the driver. Allowed values: OFF, DEBUG or TRACE. - This enable the java.util.logging.Logger Level of the driver based on the following mapping - of levels: DEBUG -> FINE, TRACE -> FINEST. This property is intended for debug the driver and - not for general SQL query debug. + This property is no longer used by the driver and will be ignored. + All logging configuration is handled by java.util.logging. * **loggerFile** = String - File name output of the Logger. If set, the Logger will use a java.util.logging.FileHandler - to write to a specified file. If the parameter is not set or the file can’t be created the - java.util.logging.ConsoleHandler will be used instead. This parameter should be use - together with loggerLevel. + This property is no longer used by the driver and will be ignored. + All logging configuration is handled by java.util.logging. * **allowEncodingChanges** = boolean diff --git a/pgjdbc/src/main/java/org/postgresql/Driver.java b/pgjdbc/src/main/java/org/postgresql/Driver.java index e5f955d..427d4e2 100644 --- a/pgjdbc/src/main/java/org/postgresql/Driver.java +++ b/pgjdbc/src/main/java/org/postgresql/Driver.java @@ -7,7 +7,6 @@ package org.postgresql; import org.postgresql.jdbc.PgConnection; import org.postgresql.util.DriverInfo; -import org.postgresql.util.ExpressionProperties; import org.postgresql.util.GT; import org.postgresql.util.HostSpec; import org.postgresql.util.PSQLException; @@ -31,11 +30,8 @@ import java.util.ArrayList; import java.util.Enumeration; import java.util.Properties; import java.util.Set; -import java.util.logging.Formatter; import java.util.logging.Level; import java.util.logging.Logger; -import java.util.logging.SimpleFormatter; -import java.util.logging.StreamHandler; /** *

The Java SQL framework allows for multiple database drivers. Each driver should supply a class @@ -238,8 +234,6 @@ public class Driver implements java.sql.Driver { return null; } try { - // Setup java.util.logging.Logger using connection properties. - setupLoggerFromProperties(props); LOGGER.log(Level.FINE, "Connecting with URL: {0}", url); @@ -280,70 +274,13 @@ public class Driver implements java.sql.Driver { } } - // Used to check if the handler file is the same - private static String loggerHandlerFile; - /** - *

Setup java.util.logging.Logger using connection properties.

- * - *

See {@link PGProperty#LOGGER_FILE} and {@link PGProperty#LOGGER_FILE}

- * + * this is an empty method left here for graalvm + * we removed the ability to setup the logger from properties + * due to a security issue * @param props Connection Properties */ private void setupLoggerFromProperties(final Properties props) { - final String driverLogLevel = PGProperty.LOGGER_LEVEL.get(props); - if (driverLogLevel == null) { - return; // Don't mess with Logger if not set - } - if ("OFF".equalsIgnoreCase(driverLogLevel)) { - PARENT_LOGGER.setLevel(Level.OFF); - return; // Don't mess with Logger if set to OFF - } else if ("DEBUG".equalsIgnoreCase(driverLogLevel)) { - PARENT_LOGGER.setLevel(Level.FINE); - } else if ("TRACE".equalsIgnoreCase(driverLogLevel)) { - PARENT_LOGGER.setLevel(Level.FINEST); - } - - ExpressionProperties exprProps = new ExpressionProperties(props, System.getProperties()); - final String driverLogFile = PGProperty.LOGGER_FILE.get(exprProps); - if (driverLogFile != null && driverLogFile.equals(loggerHandlerFile)) { - return; // Same file output, do nothing. - } - - for (java.util.logging.Handler handlers : PARENT_LOGGER.getHandlers()) { - // Remove previously set Handlers - handlers.close(); - PARENT_LOGGER.removeHandler(handlers); - loggerHandlerFile = null; - } - - java.util.logging.Handler handler = null; - if (driverLogFile != null) { - try { - handler = new java.util.logging.FileHandler(driverLogFile); - loggerHandlerFile = driverLogFile; - } catch (Exception ex) { - System.err.println("Cannot enable FileHandler, fallback to ConsoleHandler."); - } - } - - Formatter formatter = new SimpleFormatter(); - - if ( handler == null ) { - if (DriverManager.getLogWriter() != null) { - handler = new WriterHandler(DriverManager.getLogWriter()); - } else if ( DriverManager.getLogStream() != null) { - handler = new StreamHandler(DriverManager.getLogStream(), formatter); - } else { - handler = new StreamHandler(System.err, formatter); - } - } else { - handler.setFormatter(formatter); - } - - handler.setLevel(PARENT_LOGGER.getLevel()); - PARENT_LOGGER.setUseParentHandlers(false); - PARENT_LOGGER.addHandler(handler); } /** diff --git a/pgjdbc/src/main/java/org/postgresql/PGProperty.java b/pgjdbc/src/main/java/org/postgresql/PGProperty.java index 7864f32..6a9108f 100644 --- a/pgjdbc/src/main/java/org/postgresql/PGProperty.java +++ b/pgjdbc/src/main/java/org/postgresql/PGProperty.java @@ -56,28 +56,14 @@ public enum PGProperty { false, "3"), /** - *

Logger level of the driver. Allowed values: {@code OFF}, {@code DEBUG} or {@code TRACE}.

- * - *

This enable the {@link java.util.logging.Logger} of the driver based on the following mapping - * of levels:

- * - * - *

NOTE: The recommended approach to enable java.util.logging is using a - * {@code logging.properties} configuration file with the property - * {@code -Djava.util.logging.config.file=myfile} or if your are using an application server - * you should use the appropriate logging subsystem.

+ * This property is no longer used by the driver and will be ignored. + * Logging is configured via java.util.logging. */ LOGGER_LEVEL("loggerLevel", null, "Logger level of the driver", false, "OFF", "DEBUG", "TRACE"), /** - *

File name output of the Logger, if set, the Logger will use a - * {@link java.util.logging.FileHandler} to write to a specified file. If the parameter is not set - * or the file can't be created the {@link java.util.logging.ConsoleHandler} will be used instead.

- * - *

Parameter should be use together with {@link PGProperty#LOGGER_LEVEL}

+ * This property is no longer used by the driver and will be ignored. + * Logging is configured via java.util.logging. */ LOGGER_FILE("loggerFile", null, "File name output of the Logger"), diff --git a/pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java b/pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java index dc8deee..5eaebd2 100644 --- a/pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java +++ b/pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java @@ -1033,34 +1033,38 @@ public abstract class BaseDataSource implements CommonDataSource, Referenceable } /** - * @return Logger Level of the JDBC Driver - * @see PGProperty#LOGGER_LEVEL + * This property is no longer used by the driver and will be ignored. + * @deprecated Configure via java.util.logging */ + @Deprecated public String getLoggerLevel() { return PGProperty.LOGGER_LEVEL.get(properties); } /** - * @param loggerLevel of the JDBC Driver - * @see PGProperty#LOGGER_LEVEL + * This property is no longer used by the driver and will be ignored. + * @deprecated Configure via java.util.logging */ + @Deprecated public void setLoggerLevel(String loggerLevel) { PGProperty.LOGGER_LEVEL.set(properties, loggerLevel); } /** - * @return File output of the Logger. - * @see PGProperty#LOGGER_FILE + * This property is no longer used by the driver and will be ignored. + * @deprecated Configure via java.util.logging */ + @Deprecated public String getLoggerFile() { ExpressionProperties exprProps = new ExpressionProperties(properties, System.getProperties()); return PGProperty.LOGGER_FILE.get(exprProps); } /** - * @param loggerFile File output of the Logger. - * @see PGProperty#LOGGER_LEVEL + * This property is no longer used by the driver and will be ignored. + * @deprecated Configure via java.util.logging */ + @Deprecated public void setLoggerFile(String loggerFile) { PGProperty.LOGGER_FILE.set(properties, loggerFile); } diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/DriverTest.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/DriverTest.java index cf23b70..9e29b5c 100644 --- a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/DriverTest.java +++ b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/DriverTest.java @@ -15,13 +15,11 @@ import static org.junit.Assert.fail; import org.postgresql.Driver; import org.postgresql.PGProperty; import org.postgresql.test.TestUtil; -import org.postgresql.util.NullOutputStream; import org.postgresql.util.URLCoder; import org.postgresql.util.WriterHandler; import org.junit.Test; -import java.io.PrintWriter; import java.lang.reflect.Method; import java.sql.Connection; import java.sql.DriverManager; @@ -29,8 +27,6 @@ import java.sql.SQLException; import java.util.ArrayList; import java.util.Collections; import java.util.Properties; -import java.util.logging.Handler; -import java.util.logging.Logger; /* * Tests the dynamically created class org.postgresql.Driver @@ -202,73 +198,4 @@ public class DriverTest { fail("Driver has not been found in DriverManager's list but it should be registered"); } - @Test - public void testSetLogWriter() throws Exception { - - // this is a dummy to make sure TestUtil is initialized - Connection con = DriverManager.getConnection(TestUtil.getURL(), TestUtil.getUser(), TestUtil.getPassword()); - con.close(); - String loggerLevel = System.getProperty("loggerLevel"); - String loggerFile = System.getProperty("loggerFile"); - - try { - - PrintWriter printWriter = new PrintWriter(new NullOutputStream(System.err)); - DriverManager.setLogWriter(printWriter); - assertEquals(DriverManager.getLogWriter(), printWriter); - System.clearProperty("loggerFile"); - System.clearProperty("loggerLevel"); - Properties props = new Properties(); - props.setProperty("user", TestUtil.getUser()); - props.setProperty("password", TestUtil.getPassword()); - props.setProperty("loggerLevel", "DEBUG"); - con = DriverManager.getConnection(TestUtil.getURL(), props); - - Logger logger = Logger.getLogger("org.postgresql"); - Handler[] handlers = logger.getHandlers(); - assertTrue(handlers[0] instanceof WriterHandler ); - con.close(); - } finally { - DriverManager.setLogWriter(null); - System.setProperty("loggerLevel", loggerLevel); - System.setProperty("loggerFile", loggerFile); - - } - - } - - @Test - public void testSetLogStream() throws Exception { - - // this is a dummy to make sure TestUtil is initialized - Connection con = DriverManager.getConnection(TestUtil.getURL(), TestUtil.getUser(), TestUtil.getPassword()); - con.close(); - String loggerLevel = System.getProperty("loggerLevel"); - String loggerFile = System.getProperty("loggerFile"); - - try { - - DriverManager.setLogStream(new NullOutputStream(System.err)); - System.clearProperty("loggerFile"); - System.clearProperty("loggerLevel"); - Properties props = new Properties(); - props.setProperty("user", TestUtil.getUser()); - props.setProperty("password", TestUtil.getPassword()); - props.setProperty("loggerLevel", "DEBUG"); - con = DriverManager.getConnection(TestUtil.getURL(), props); - - Logger logger = Logger.getLogger("org.postgresql"); - Handler []handlers = logger.getHandlers(); - assertTrue( handlers[0] instanceof WriterHandler ); - con.close(); - } finally { - DriverManager.setLogStream(null); - System.setProperty("loggerLevel", loggerLevel); - System.setProperty("loggerFile", loggerFile); - - - } - - } - } diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/PGPropertyTest.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/PGPropertyTest.java index f720e68..ee8578f 100644 --- a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/PGPropertyTest.java +++ b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/PGPropertyTest.java @@ -8,7 +8,6 @@ package org.postgresql.test.jdbc2; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; import org.postgresql.Driver; @@ -190,15 +189,6 @@ public class PGPropertyTest { assertFalse(PGProperty.READ_ONLY.isPresent(empty)); } - @Test - public void testNullValue() { - Properties empty = new Properties(); - assertNull(PGProperty.LOGGER_LEVEL.getSetString(empty)); - Properties withLogging = new Properties(); - withLogging.setProperty(PGProperty.LOGGER_LEVEL.getName(), "OFF"); - assertNotNull(PGProperty.LOGGER_LEVEL.getSetString(withLogging)); - } - @Test public void testEncodedUrlValues() { String databaseName = "d&a%ta+base"; diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc4/LogTest.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc4/LogTest.java deleted file mode 100644 index 49d623f..0000000 --- a/pgjdbc/src/test/java/org/postgresql/test/jdbc4/LogTest.java +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 2007, PostgreSQL Global Development Group - * See the LICENSE file in the project root for more information. - */ - -package org.postgresql.test.jdbc4; - -import org.postgresql.PGProperty; -import org.postgresql.test.TestUtil; -import org.postgresql.test.jdbc2.BaseTest4; - -import org.junit.Assert; -import org.junit.Assume; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.Parameterized; - -import java.sql.Array; -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Properties; - -@RunWith(Parameterized.class) -public class LogTest extends BaseTest4 { - - private String oldLevel; - - public LogTest(BinaryMode binaryMode) { - setBinaryMode(binaryMode); - long maxMemory = Runtime.getRuntime().maxMemory(); - if (maxMemory < 6L * 1024 * 1024 * 1024) { - // TODO: add hamcrest matches and replace with "greaterThan" or something like that - Assume.assumeTrue( - "The test requires -Xmx6g or more. MaxMemory is " + (maxMemory / 1024.0 / 1024) + " MiB", - false); - } - } - - @Parameterized.Parameters(name = "binary = {0}") - public static Iterable data() { - Collection ids = new ArrayList(); - for (BinaryMode binaryMode : BinaryMode.values()) { - ids.add(new Object[]{binaryMode}); - } - return ids; - } - - @Override - protected void updateProperties(Properties props) { - super.updateProperties(props); - PGProperty.LOGGER_LEVEL.set(props, "TRACE"); - } - - @Test - public void reallyLargeArgumentsBreaksLogging() throws SQLException { - String[] largeInput = new String[220]; - String largeString = String.format("%1048576s", " "); - for (int i = 0; i < largeInput.length; i++) { - largeInput[i] = largeString; - } - Array arr = con.createArrayOf("text", largeInput); - PreparedStatement ps = con.prepareStatement("select t from unnest(?::text[]) t"); - ps.setArray(1, arr); - ResultSet rs = ps.executeQuery(); - int x = 0; - while (rs.next()) { - x += 1; - String found = rs.getString(1); - Assert.assertEquals(largeString, found); - } - Assert.assertEquals(largeInput.length, x); - TestUtil.closeQuietly(rs); - TestUtil.closeQuietly(ps); - } -}