RFR JDK-8066709 Make some JDK system properties read only
Roger Riggs
Roger.Riggs at Oracle.com
Tue Jun 5 15:10:09 UTC 2018
Hi Alan,
On 6/5/2018 2:19 AM, Alan Bateman wrote:
> On 04/06/2018 20:59, Roger Riggs wrote:
>> :
>>
>>>
>>> Are the changes to SocksSocketImpl correct? I may have missed
>>> something but the original called System.getProperty("user.dir") in
>>> a privileged block so I'm wondering if getUserNameChecked is needed.
>> The existing code in SocksSocketImpl is inconsistent with respect to
>> access to user.name; some flows
>> use doPriv to access the property and others did not. If someone
>> familiar with the Socks networking function
>> can recommend the proper access, it can be revised. The intent was
>> to have the same security checks
>> as before.
> The original code at L181 is using
> GetPropertyAction.privilegedGetProperty so it looks like it reads the
> value of the property in a privileged block. The replacement code is
> doing an explicit permission check. If I read the original code
> correctly then it should only be doing a permission check for the
> proxy case. So I think it needs to be checked, another set of eyes
> would be useful.
Yes, that case did not need the propertyAccess check.
(The local getUsername method could be simplified since
applicationSetProxy can never be true (assuming no reflection setting it)).
Thanks, Roger
>
> -Alan
More information about the core-libs-dev
mailing list