RFR JDK-8066709 Make some JDK system properties read only

Alan Bateman Alan.Bateman at oracle.com
Tue Jun 5 06:19:22 UTC 2018


On 04/06/2018 20:59, Roger Riggs wrote:
> :
>
>>
>> Are the changes to SocksSocketImpl correct? I may have missed 
>> something but the original called System.getProperty("user.dir") in a 
>> privileged block so I'm wondering if getUserNameChecked is needed.
> The existing code in SocksSocketImpl is inconsistent with respect to 
> access to user.name; some flows
> use doPriv to access the property and others did not.  If someone 
> familiar with the Socks networking function
> can recommend the proper access, it can be revised.  The intent was to 
> have the same security checks
> as before.
The original code at L181 is using 
GetPropertyAction.privilegedGetProperty so it looks like it reads the 
value of the property in a privileged block. The replacement code is 
doing an explicit permission check. If I read the original code 
correctly then it should only be doing a permission check for the proxy 
case. So I think it needs to be checked, another set of eyes would be 
useful.

-Alan


More information about the core-libs-dev mailing list