[rfc][icedtea-web] DeploymentPropertiesAreExposed reproducer fix
Omair Majid
omajid at redhat.com
Fri Sep 13 13:13:56 PDT 2013
Hi Andrew,
On 09/13/2013 04:06 PM, Andrew Azores wrote:
> --- a/netx/net/sourceforge/jnlp/config/Defaults.java
> +++ b/netx/net/sourceforge/jnlp/config/Defaults.java
> - final static String USER_CONFIG_HOME;
> + public final static String USER_CONFIG_HOME;
> public final static String USER_CACHE_HOME;
One not-immediately-obvious consequence of making these variables public
is that a random untrusted program might be able to look at them and
guess the value of System.getProperty("user.home"). That would be
leaking information and a security hole.
Thankfully, icedtea-web does disallow access to net.sourceforge.jnlp.**
packages so accessing the Defaults class should not be possible in
general. But I am still going to strongly encourage you to not expose
information.
Thanks,
Omair
--
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681
More information about the distro-pkg-dev
mailing list