RFR JDK-8066709 Make some JDK system properties read only
Alan Bateman
Alan.Bateman at oracle.com
Tue Jun 5 06:19:22 UTC 2018
On 04/06/2018 20:59, Roger Riggs wrote:
> :
>
>>
>> Are the changes to SocksSocketImpl correct? I may have missed
>> something but the original called System.getProperty("user.dir") in a
>> privileged block so I'm wondering if getUserNameChecked is needed.
> The existing code in SocksSocketImpl is inconsistent with respect to
> access to user.name; some flows
> use doPriv to access the property and others did not. If someone
> familiar with the Socks networking function
> can recommend the proper access, it can be revised. The intent was to
> have the same security checks
> as before.
The original code at L181 is using
GetPropertyAction.privilegedGetProperty so it looks like it reads the
value of the property in a privileged block. The replacement code is
doing an explicit permission check. If I read the original code
correctly then it should only be doing a permission check for the proxy
case. So I think it needs to be checked, another set of eyes would be
useful.
-Alan
More information about the core-libs-dev
mailing list