Mercurial > hg > release > icedtea-web-1.5

changeset 24:92c589a2cf8f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add security checks for save and load in DeploymentConfiguration 2010-10-27 Omair Majid <omajid@redhat.com> * netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java (load): Do a security check at start. A security exception later on may accidentally reveal a filename or a system property. (save): Likewise.
author Omair Majid <omajid@redhat.com>
date Wed, 27 Oct 2010 12:55:00 -0400
parents 33f17695e034
children 5566a5487109
files ChangeLog netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java
diffstat 2 files changed, 28 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Tue Oct 26 18:14:11 2010 -0400
+++ b/ChangeLog	Wed Oct 27 12:55:00 2010 -0400
@@ -1,3 +1,10 @@
+2010-10-27  Omair Majid  <omajid@redhat.com>
+
+	* netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java
+	(load): Do a security check at start. A security exception later on may
+	accidentally reveal a filename or a system property.
+	(save): Likewise.
+
 2010-10-26  Omair Majid  <omajid@redhat.com>
 
 	* netx/net/sourceforge/jnlp/Launcher.java
--- a/netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java	Tue Oct 26 18:14:11 2010 -0400
+++ b/netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java	Wed Oct 27 12:55:00 2010 -0400
@@ -155,6 +155,15 @@
      * @throws DeploymentException if it encounters a fatal error.
      */
     public void load() throws ConfigurationException {
+        // make sure no state leaks if security check fails later on
+        File userFile = new File(System.getProperty("user.home") + File.separator + ".netx"
+                + File.separator + DEPLOYMENT_PROPERTIES);
+
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            sm.checkRead(userFile.toString());
+        }
+
         Map<String, ConfigValue> initialProperties = loadDefaultProperties();
 
         Map<String, ConfigValue> systemProperties = null;
@@ -189,8 +198,7 @@
         /*
          * Third, read the user's deployment.properties file
          */
-        userPropertiesFile = new File(System.getProperty("user.home") + File.separator + ".netx"
-                + File.separator + DEPLOYMENT_PROPERTIES);
+        userPropertiesFile = userFile;
         Map<String, ConfigValue> userProperties = loadProperties(ConfigType.User, userPropertiesFile,
                 false);
         if (userProperties != null) {
@@ -466,9 +474,19 @@
     /**
      * Saves all properties that are not part of default or system properties
      *
-     * @throws IOException
+     * @throws IOException if unable to save the file
+     * @throws IllegalStateException if save() is called before load()
      */
     public void save() throws IOException {
+        if (userPropertiesFile == null) {
+            throw new IllegalStateException("must load() before save()");
+        }
+
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            sm.checkWrite(userPropertiesFile.toString());
+        }
+
         if (JNLPRuntime.isDebug()) {
             System.out.println("Saving properties into " + userPropertiesFile.toString());
         }