[rfc][icedtea-web] Reproducer of BeansStatement behaviour
Jiri Vanek
jvanek at redhat.com
Tue Dec 18 03:01:36 PST 2012
On 12/17/2012 06:01 PM, Omair Majid wrote:
> On 12/14/2012 03:58 PM, Adam Domurad wrote:
>> On 12/13/2012 11:35 AM, Jiri Vanek wrote:
>> Looks OK, although this seems like something that is better placed in a
>> JRE's test suite, not ITWs.
>
> Agreed. While it is nice to have another test to check a security
> property, I am not sure how sensible it is to add this test to
> icedtea-web. The test is, after all, testing that the JRE enforces a
> security check when a certain operation is performed. We do have a
> number of tests that check that the code in icedtea-web is running in a
> sandbox, but nothing that is as specific as this.
>
> I would like to know what's the motivation for adding this specific test
> to icedtea-web.
>
Motivation is simple, this was once safe and working. Due to several changes in jdk this become penetrable.
ITW is the way via which it can be misused. I think that having such a reproducer run periodically can speed up discovery and so fix in case that some changes will lead to penetrability again.
Anyway - most of security issues reappear because of reproducers disappears.
I really have intention to forward most of such a reproducers into reproducers repo and to run them as often as possible - of course several month after the fix is published.
J.
More information about the distro-pkg-dev
mailing list