[RFR] 8205525 : Improve exception messages during manifest parsing of jar archives

Sat Sep 8 13:42:06 UTC 2018

On 9/7/18 7:58 PM, Weijun Wang wrote:
> In my understanding, the author deliberately wants to show the absolute paths when there are multiple jar files with the same name (Ex: a jar hell). 

If you are very familiar with a particular application and understand 
the risks associated with running it, then I agree that is ok. But 
security properties apply to all applications using that JDK, and so I 
don't always think it is practical for an admin to understand every type 
of application that may be using that JDK and whether or not enabling 
this property presents a risk.

> Maybe we can add some more detail in the java.security so an admin knows what exact impact it has.

It would be a slippery slope in my opinion. You would have to say 
something like: "enabling this property may allow untrusted code running 
under a SecurityManager to access sensitive information such as the 
user.home system property even if it has not been granted permission to 
do so."

I think we should consider not allowing this property to take effect if 
a SecurityManager is running.

--Sean

> 
> --Max
> 
>> On Sep 8, 2018, at 3:41 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>> On 8/29/18 10:01 AM, Baesken, Matthias wrote:
>>> Hi Max, thanks for your input .
>>> I created another webrev , this contains now   the suggested  SecurityProperties   class :
>>> http://cr.openjdk.java.net/~mbaesken/webrevs/8205525.6/
>>
>> java/util/jar/Attributes.java
>>
>> 469         return AccessController.doPrivileged(new PrivilegedAction<String>() {
>> 470             public String run() {
>> 471                 return file.getAbsolutePath() + ":" + lineNumber;
>> 472             }
>> 473         });
>>
>> I have a serious concern with the code above.
>>
>> With this change, untrusted code running under a SecurityManager could potentially create a JarFile on a non-absolute path ex: "foo.jar", and (somehow) cause an IOException to be thrown which would then reveal the absolute path of where the jar was located, and thus could reveal sensitive details about the system (ex: the user's home directory). It could still be hard to exploit, since it would have to be a known jar that exists, and you would then need to cause an IOException to be thrown, but it's still theoretically possible.
>>
>> In short, this is a more general issue in that it may allow untrusted code to access something it couldn't have previously. new JarFile("foo.jar").getName() returns "foo.jar", and not the absolute path.
>>
>> Granted this can only be done if the security property is enabled, but I believe this is not something administrators should have to know about their environment and account for when enabling this property.
>>
>> The above code should be changed to return only what the caller provides to JarFile, which is the name of the file (without the full path).
>>
>> --Sean
> 