[cp-patches] PR42390: Don't include Policy permissions in toString output

Dr Andrew John Hughes ahughes at redhat.com
Sun Mar 6 18:23:37 UTC 2011

The permissions from the current policy are included in the toString()
output of java.security.ProtectionDomain.  However, as a test case
I added to Mauve (gnu.testlet.java.security.Policy.Security) shows
when run against OpenJDK, these permissions shouldn't be revealed
when the SecurityManager prohibts calls to getPolicy.

I've committed the attached patch fixes this issue so that the
permissions are excluded if the SecurityManager doesn't allow the
policy to be read.

2011-02-22  Andrew John Hughes  <ahughes at redhat.com>

	PR classpath/42390
	* java/security/ProtectionDomain.java:
	(toString()): Don't include permissions from
	the policy if we don't have permission to read

Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and IcedTea
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D  0698 0713 C3ED F586 2A37
-------------- next part --------------
Index: java/security/ProtectionDomain.java
RCS file: /sources/classpath/classpath/java/security/ProtectionDomain.java,v
retrieving revision 1.18
diff -u -u -r1.18 ProtectionDomain.java
--- java/security/ProtectionDomain.java	25 Dec 2010 01:23:50 -0000	1.18
+++ java/security/ProtectionDomain.java	6 Mar 2011 17:17:58 -0000
@@ -255,7 +255,15 @@
     if (!staticBinding) // include all but dont force loading Policy.currentPolicy
       if (Policy.isLoaded())
-        sb.append(Policy.getCurrentPolicy().getPermissions(this));
+        try
+          {
+            sb.append(Policy.getPolicy().getPermissions(this));
+          }
+        catch (SecurityException e)
+          {
+            // We are not allowed access to the policy.
+            sb.append(perms);
+          }
       else // fallback on this one's permissions

More information about the Classpath-patches mailing list