Mercurial > hg > release > icedtea-web-1.5
changeset 24:92c589a2cf8f
Add security checks for save and load in DeploymentConfiguration
2010-10-27 Omair Majid <omajid@redhat.com>
* netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java
(load): Do a security check at start. A security exception later on may
accidentally reveal a filename or a system property.
(save): Likewise.
author | Omair Majid <omajid@redhat.com> |
---|---|
date | Wed, 27 Oct 2010 12:55:00 -0400 |
parents | 33f17695e034 |
children | 5566a5487109 |
files | ChangeLog netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java |
diffstat | 2 files changed, 28 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Tue Oct 26 18:14:11 2010 -0400 +++ b/ChangeLog Wed Oct 27 12:55:00 2010 -0400 @@ -1,3 +1,10 @@ +2010-10-27 Omair Majid <omajid@redhat.com> + + * netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java + (load): Do a security check at start. A security exception later on may + accidentally reveal a filename or a system property. + (save): Likewise. + 2010-10-26 Omair Majid <omajid@redhat.com> * netx/net/sourceforge/jnlp/Launcher.java
--- a/netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java Tue Oct 26 18:14:11 2010 -0400 +++ b/netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java Wed Oct 27 12:55:00 2010 -0400 @@ -155,6 +155,15 @@ * @throws DeploymentException if it encounters a fatal error. */ public void load() throws ConfigurationException { + // make sure no state leaks if security check fails later on + File userFile = new File(System.getProperty("user.home") + File.separator + ".netx" + + File.separator + DEPLOYMENT_PROPERTIES); + + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + sm.checkRead(userFile.toString()); + } + Map<String, ConfigValue> initialProperties = loadDefaultProperties(); Map<String, ConfigValue> systemProperties = null; @@ -189,8 +198,7 @@ /* * Third, read the user's deployment.properties file */ - userPropertiesFile = new File(System.getProperty("user.home") + File.separator + ".netx" - + File.separator + DEPLOYMENT_PROPERTIES); + userPropertiesFile = userFile; Map<String, ConfigValue> userProperties = loadProperties(ConfigType.User, userPropertiesFile, false); if (userProperties != null) { @@ -466,9 +474,19 @@ /** * Saves all properties that are not part of default or system properties * - * @throws IOException + * @throws IOException if unable to save the file + * @throws IllegalStateException if save() is called before load() */ public void save() throws IOException { + if (userPropertiesFile == null) { + throw new IllegalStateException("must load() before save()"); + } + + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + sm.checkWrite(userPropertiesFile.toString()); + } + if (JNLPRuntime.isDebug()) { System.out.println("Saving properties into " + userPropertiesFile.toString()); }