Mercurial > hg > release > icedtea6-1.7
changeset 2006:e0e679b39351
RH645843, CVE-2010-3860: Don't expose system properties via public variables.
2010-11-11 Omair Majid <omajid@redhat.com>
RH645843, CVE-2010-3860
* netx/net/sourceforge/jnlp/runtime/Boot.java,
* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java,
* netx/net/sourceforge/jnlp/security/SecurityUtil.java,
* netx/net/sourceforge/jnlp/services/SingleInstanceLock.java,
* netx/net/sourceforge/jnlp/util/XDesktopEntry.java,
* plugin/icedteanp/java/sun/applet/PluginMain.java:
Fix exposure of system properties.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Thu, 18 Nov 2010 13:23:54 +0000 |
parents | 2eff7c2e01d1 |
children | 89ccf12401c2 |
files | ChangeLog plugin/icedteanp/java/sun/applet/PluginMain.java rt/net/sourceforge/jnlp/runtime/Boot.java rt/net/sourceforge/jnlp/runtime/JNLPRuntime.java rt/net/sourceforge/jnlp/security/SecurityUtil.java rt/net/sourceforge/jnlp/services/SingleInstanceLock.java rt/net/sourceforge/jnlp/util/XDesktopEntry.java |
diffstat | 7 files changed, 74 insertions(+), 32 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Thu Nov 18 13:01:47 2010 +0000 +++ b/ChangeLog Thu Nov 18 13:23:54 2010 +0000 @@ -1,3 +1,14 @@ +2010-11-11 Omair Majid <omajid@redhat.com> + + RH645843, CVE-2010-3860 + * netx/net/sourceforge/jnlp/runtime/Boot.java, + * netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java, + * netx/net/sourceforge/jnlp/security/SecurityUtil.java, + * netx/net/sourceforge/jnlp/services/SingleInstanceLock.java, + * netx/net/sourceforge/jnlp/util/XDesktopEntry.java, + * plugin/icedteanp/java/sun/applet/PluginMain.java: + Fix exposure of system properties. + 2010-11-18 Andrew John Hughes <ahughes@redhat.com> * NEWS: Add 1.7.6.
--- a/plugin/icedteanp/java/sun/applet/PluginMain.java Thu Nov 18 13:01:47 2010 +0000 +++ b/plugin/icedteanp/java/sun/applet/PluginMain.java Thu Nov 18 13:23:54 2010 +0000 @@ -89,8 +89,8 @@ { // the files where stdout/stderr are sent to - public static final String PLUGIN_STDERR_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stderr"; - public static final String PLUGIN_STDOUT_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stdout"; + static final String PLUGIN_STDERR_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stderr"; + static final String PLUGIN_STDOUT_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stdout"; final boolean redirectStreams = System.getenv().containsKey("ICEDTEAPLUGIN_DEBUG"); static PluginStreamHandler streamHandler;
--- a/rt/net/sourceforge/jnlp/runtime/Boot.java Thu Nov 18 13:01:47 2010 +0000 +++ b/rt/net/sourceforge/jnlp/runtime/Boot.java Thu Nov 18 13:23:54 2010 +0000 @@ -230,8 +230,8 @@ */ private static String getAboutFile() { - if (new File(JNLPRuntime.NETX_ABOUT_FILE).exists()) - return JNLPRuntime.NETX_ABOUT_FILE; + if (new File(JNLPRuntime.getAboutFile()).exists()) + return JNLPRuntime.getAboutFile(); else return null; }
--- a/rt/net/sourceforge/jnlp/runtime/JNLPRuntime.java Thu Nov 18 13:01:47 2010 +0000 +++ b/rt/net/sourceforge/jnlp/runtime/JNLPRuntime.java Thu Nov 18 13:23:54 2010 +0000 @@ -105,42 +105,42 @@ private static List<String> initialArguments; /** Username */ - public static final String USER = System.getProperty("user.name"); + private static final String USER = System.getProperty("user.name"); /** User's home directory */ - public static final String HOME_DIR = System.getProperty("user.home"); + private static final String HOME_DIR = System.getProperty("user.home"); /** the ~/.netxrc file containing netx settings */ - public static final String NETXRC_FILE = HOME_DIR + File.separator + ".netxrc"; + private static final String NETXRC_FILE = HOME_DIR + File.separator + ".netxrc"; /** the ~/.netx directory containing user-specific data */ - public static final String NETX_DIR = HOME_DIR + File.separator + ".netx"; + private static final String NETX_DIR = HOME_DIR + File.separator + ".netx"; /** the ~/.netx/security directory containing security related information */ - public static final String SECURITY_DIR = NETX_DIR + File.separator + "security"; + private static final String SECURITY_DIR = NETX_DIR + File.separator + "security"; /** the ~/.netx/security/trusted.certs file containing trusted certificates */ - public static final String CERTIFICATES_FILE = SECURITY_DIR + File.separator + "trusted.certs"; + private static final String CERTIFICATES_FILE = SECURITY_DIR + File.separator + "trusted.certs"; /** the /tmp/ directory used for temporary files */ - public static final String TMP_DIR = System.getProperty("java.io.tmpdir"); + private static final String TMP_DIR = System.getProperty("java.io.tmpdir"); /** * the /tmp/$USER/netx/locks/ directory containing locks for single instance * applications */ - public static final String LOCKS_DIR = TMP_DIR + File.separator + USER + File.separator + private static final String LOCKS_DIR = TMP_DIR + File.separator + USER + File.separator + "netx" + File.separator + "locks"; /** the java.home directory */ - public static final String JAVA_HOME_DIR = System.getProperty("java.home"); - + private static final String JAVA_HOME_DIR = System.getProperty("java.home"); + /** the JNLP file to open to display the network-based about window */ - public static final String NETX_ABOUT_FILE = JAVA_HOME_DIR + File.separator + "lib" + private static final String NETX_ABOUT_FILE = JAVA_HOME_DIR + File.separator + "lib" + File.separator + "about.jnlp"; - - + + /** * Returns whether the JNLP runtime environment has been * initialized. Once initialized, some properties such as the @@ -558,7 +558,38 @@ public static List<String> getInitialArguments() { return initialArguments; } - + + /** Get the location of the certificate files user-level used by netx */ + public static String getCertificatesFile() { + System.getProperty("user.home"); + return CERTIFICATES_FILE; + } + + /** Get the home directory */ + public static String getHomeDir() { + System.getProperty("user.home"); + return HOME_DIR; + } + + /** Get the location of the about file */ + public static String getAboutFile() { + System.getProperty("java.home"); + return NETX_ABOUT_FILE; + } + + /** Get the location of the locks directory */ + public static String getLocksDir() { + System.getProperty("user.home"); + System.getProperty("java.io.tmpdir"); + return LOCKS_DIR; + } + + /** Get the location of a temporary location */ + public static String getTempDir() { + System.getProperty("java.io.tmpdir"); + return TMP_DIR; + } + }
--- a/rt/net/sourceforge/jnlp/security/SecurityUtil.java Thu Nov 18 13:01:47 2010 +0000 +++ b/rt/net/sourceforge/jnlp/security/SecurityUtil.java Thu Nov 18 13:23:54 2010 +0000 @@ -46,18 +46,18 @@ public class SecurityUtil { - private static final char[] password = "changeit".toCharArray(); - - public static String getTrustedCertsFilename() throws Exception{ - - String homeDir = JNLPRuntime.HOME_DIR; - - if (homeDir == null) { - throw new Exception("Could not access home directory"); - } else { - return JNLPRuntime.CERTIFICATES_FILE; - } - } + private static final char[] password = "changeit".toCharArray(); + + public static String getTrustedCertsFilename() throws Exception { + + String homeDir = JNLPRuntime.getHomeDir(); + + if (homeDir == null) { + throw new Exception("Could not access home directory"); + } else { + return JNLPRuntime.getCertificatesFile(); + } + } public static char[] getTrustedCertsPassword() { return password;
--- a/rt/net/sourceforge/jnlp/services/SingleInstanceLock.java Thu Nov 18 13:01:47 2010 +0000 +++ b/rt/net/sourceforge/jnlp/services/SingleInstanceLock.java Thu Nov 18 13:23:54 2010 +0000 @@ -126,7 +126,7 @@ * may or may not exist. */ private File getLockFile() { - File baseDir = new File(JNLPRuntime.LOCKS_DIR); + File baseDir = new File(JNLPRuntime.getLocksDir()); if (!baseDir.isDirectory() && !baseDir.mkdirs()) { throw new RuntimeException(R("RNoLockDir", baseDir));
--- a/rt/net/sourceforge/jnlp/util/XDesktopEntry.java Thu Nov 18 13:01:47 2010 +0000 +++ b/rt/net/sourceforge/jnlp/util/XDesktopEntry.java Thu Nov 18 13:23:54 2010 +0000 @@ -131,7 +131,7 @@ * Install this XDesktopEntry into the user's desktop as a launcher */ private void installDesktopLauncher() { - File shortcutFile = new File(JNLPRuntime.TMP_DIR + File.separator + File shortcutFile = new File(JNLPRuntime.getTempDir() + File.separator + FileUtils.sanitizeFileName(file.getTitle()) + ".desktop"); try {