Getting a live view of environment variables (Gradle and JDK 9)
dalibor topic
dalibor.topic at oracle.com
Thu Oct 12 18:50:35 UTC 2017
On 12.10.2017 16:23, Kirk Pepperdine wrote:
> Hi,
>
>> On Oct 12, 2017, at 2:54 PM, Mario Torre <neugens.limasoftware at gmail.com> wrote:
>>
>> 2017-10-12 11:58 GMT+02:00 Cédric Champeau <cedric.champeau at gmail.com>:
>>
>>> 1. an API in 18.3 which would let us refresh the environment variables,
>>> even if inherently unsafe (we can take the risk, if the Javadocs explains
>>> that if you're really unlucky calling such a method could kill your VM).
>>
>> Being a public API we would expose everyone to this risk, and the API
>> should be supported on all platforms maybe forever. I know other
>> people have different opinion here, but this seems to be high risk,
>> high impact to be worth.
>
> As I have stated in post postings, this is behavior is unexpected and IMHO shouldn’t be supported.
Yeah, it smells a bit like stopThread to me, which may have seemed like
an interesting idea at the time, but created a lot of issues down the
road, as discussed in
https://docs.oracle.com/javase/9/docs/api/java/lang/doc-files/threadPrimitiveDeprecation.html
A 'setenv' might not be as simple as it sounds conceptually. For
example, it might necessitate thinking through what kind of security
permission would be required to govern its use.
In addition, having such functionality exposed by default could be a bit
like a conveniently placed loaded gun for an attacker attempting to
bring a system down - one man's 'unlucky call bringing down your VM' is
another man's 'lucky shot'.
That's not necessarily a hypothetical concern, as similar designs have
had their share of interesting issues in the past. For example:
"Cupsd invokes CGI applications for certain requests, and the 'SetEnv'
directive allows us to set arbitrary environment variables for these CGI
processes."
from
https://googleprojectzero.blogspot.de/2015/06/owning-internet-printing-case-study-in.html
cheers,
dalibor topic
--
<http://www.oracle.com> Dalibor Topic | Principal Product Manager
Phone: +494089091214 <tel:+494089091214> | Mobile: +491737185961
<tel:+491737185961>
ORACLE Deutschland B.V. & Co. KG | Kühnehöfe 5 | 22761 Hamburg
ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher
<http://www.oracle.com/commitment> Oracle is committed to developing
practices and products that help protect the environment
More information about the core-libs-dev
mailing list