Fwd: docs generator - prereview

Omair Majid omajid at redhat.com
Mon Sep 8 16:37:52 UTC 2014 

* Jiri Vanek <jvanek at redhat.com> [2014-09-04 11:20]:
> +public class PathsAndFiles {

> +    public static final String USER_CONFIG_HOME;
> +    public static final String USER_CACHE_HOME;
> +    public static final String USER_SECURITY;

> +    public static final String ICEDTEA_SO = "IcedTeaPlugin.so";

> +    public static final InfrastructureFileDescriptor PIPES_DIR 
> +    public static final InfrastructureFileDescriptor MOZILA_USER 
> +    public static final InfrastructureFileDescriptor MOZILA_GLOBAL_64 
> +    public static final InfrastructureFileDescriptor MOZILA_GLOBAL_32 
> +    public static final InfrastructureFileDescriptor OPERA_64 
> +    public static final InfrastructureFileDescriptor OPERA_32 
> +    
> +    public static final InfrastructureFileDescriptor CACHE_DIR 
> +    public static final InfrastructureFileDescriptor PCACHE_DIR 
> +    public static final InfrastructureFileDescriptor LOG_DIR 
> +    public static final InfrastructureFileDescriptor APPLET_TRUST_SETTINGS_USER 
> +    public static final InfrastructureFileDescriptor APPLET_TRUST_SETTINGS_SYS 
> +    public static final InfrastructureFileDescriptor ETC_DEPLOYMENT_CFG 
> +    public static final InfrastructureFileDescriptor TMP_DIR 
> +
> +    public static final InfrastructureFileDescriptor LOCKS_DIR 
> +    public static final InfrastructureFileDescriptor MAIN_LOCK 
> +
> +    public static final InfrastructureFileDescriptor JAVA_POLICY 
> +    public static final InfrastructureFileDescriptor USER_CACERTS 
> +    public static final InfrastructureFileDescriptor USER_JSSECAC 
> +    public static final InfrastructureFileDescriptor USER_CERTS 
> +    public static final InfrastructureFileDescriptor USER_JSSECER 
> +    public static final InfrastructureFileDescriptor USER_CLIENTCERT 
> +
> +    public static final InfrastructureFileDescriptor SYS_CACERT 
> +    public static final InfrastructureFileDescriptor SYS_JSSECAC 
> +    public static final InfrastructureFileDescriptor SYS_CERT 
> +    public static final InfrastructureFileDescriptor SYS_JSSECERT 
> +    public static final InfrastructureFileDescriptor SYS_CLIENTCERT 
> +
> +    public static final InfrastructureFileDescriptor JAVA_DEPLOYMENT_PROP_FILE 
> +    public static final InfrastructureFileDescriptor USER_DEPLOYMENT_FILE 

These are public fields in a public class. Can applets look at these
variables and identify restricted user information (such as username)?
We had similar security issues in the past:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3860

Thanks,
Omair

-- 
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95  0056 F286 F14F 6648 4681

More information about the distro-pkg-dev mailing list