SystemProperties secure?

Andrew Haley aph at redhat.com
Tue Nov 28 09:00:04 UTC 2006


Jeroen Frijters writes:
 > Tom Tromey wrote:
 > > >>>>> "Roman" == Roman Kennke <roman at kennke.org> writes:
 > > 
 > > Roman> We are using the SystemProperties class throughout the 
 > > Classpath code to
 > > Roman> access system properties and avoid the security checks in
 > > Roman> java.lang.System. However, I come to think that this 
 > > is no good the way
 > > Roman> it is. This class is public and nothing prevents use 
 > > of this class from
 > > Roman> application code.
 > > 
 > > As I recall things in gnu.classpath should not be available to
 > > application code.  The system class loader, or something, has to
 > > enforce this.
 > 
 > That's correct. The (default) system class loader calls
 > SecurityManager.checkPackageAccess() in loadClass(String,boolean).
 > 
 > > I'm having some trouble with the details but I know Jeroen knows the
 > > details here...
 > 
 > I don't remember the details of the rest of the story, but earlier in
 > this thread Casey posted a (very small) patch that enables this
 > infrastructure and protects the gnu.classpath. package.

I'm sure we don't do the right thing in gcj.  This test case
(apprended) should do:

Checking class [Lxxx.ttt;
checkPackageAccess sun.reflect.misc
checkPackageAccess sun.reflect.misc
checkPackageAccess xxx

but on gcj does:

Checking class [Lxxx.ttt;
checkPackageAccess xxx

Andrew.


------------------------------------------------------------------------
package xxx;

import java.net.*;
import java.lang.reflect.*;

class MySecurityManager extends SecurityManager
{
  public void checkPackageAccess(String s)
  {
    System.out.println("checkPackageAccess " + s);
  }

}

public class ttt
{
  public static void main(String[] argv) throws Exception
  {
    System.setSecurityManager(new MySecurityManager());
    ttt[] a = new ttt[4];
    System.out.println("Checking " + a.getClass());
    sun.reflect.misc.ReflectUtil.checkPackageAccess(a.getClass());
  }
}
------------------------------------------------------------------------



More information about the Classpath mailing list