Fwd: docs generator - prereview

Jiri Vanek jvanek at redhat.com
Mon Sep 8 16:42:41 UTC 2014 

On 09/08/2014 06:37 PM, Omair Majid wrote:
> * Jiri Vanek <jvanek at redhat.com> [2014-09-04 11:20]:
>> +public class PathsAndFiles {
>
>> +    public static final String USER_CONFIG_HOME;
>> +    public static final String USER_CACHE_HOME;
>> +    public static final String USER_SECURITY;
>
>> +    public static final String ICEDTEA_SO = "IcedTeaPlugin.so";
>
>> +    public static final InfrastructureFileDescriptor PIPES_DIR
>> +    public static final InfrastructureFileDescriptor MOZILA_USER
>> +    public static final InfrastructureFileDescriptor MOZILA_GLOBAL_64
>> +    public static final InfrastructureFileDescriptor MOZILA_GLOBAL_32
>> +    public static final InfrastructureFileDescriptor OPERA_64
>> +    public static final InfrastructureFileDescriptor OPERA_32
>> +
>> +    public static final InfrastructureFileDescriptor CACHE_DIR
>> +    public static final InfrastructureFileDescriptor PCACHE_DIR
>> +    public static final InfrastructureFileDescriptor LOG_DIR
>> +    public static final InfrastructureFileDescriptor APPLET_TRUST_SETTINGS_USER
>> +    public static final InfrastructureFileDescriptor APPLET_TRUST_SETTINGS_SYS
>> +    public static final InfrastructureFileDescriptor ETC_DEPLOYMENT_CFG
>> +    public static final InfrastructureFileDescriptor TMP_DIR
>> +
>> +    public static final InfrastructureFileDescriptor LOCKS_DIR
>> +    public static final InfrastructureFileDescriptor MAIN_LOCK
>> +
>> +    public static final InfrastructureFileDescriptor JAVA_POLICY
>> +    public static final InfrastructureFileDescriptor USER_CACERTS
>> +    public static final InfrastructureFileDescriptor USER_JSSECAC
>> +    public static final InfrastructureFileDescriptor USER_CERTS
>> +    public static final InfrastructureFileDescriptor USER_JSSECER
>> +    public static final InfrastructureFileDescriptor USER_CLIENTCERT
>> +
>> +    public static final InfrastructureFileDescriptor SYS_CACERT
>> +    public static final InfrastructureFileDescriptor SYS_JSSECAC
>> +    public static final InfrastructureFileDescriptor SYS_CERT
>> +    public static final InfrastructureFileDescriptor SYS_JSSECERT
>> +    public static final InfrastructureFileDescriptor SYS_CLIENTCERT
>> +
>> +    public static final InfrastructureFileDescriptor JAVA_DEPLOYMENT_PROP_FILE
>> +    public static final InfrastructureFileDescriptor USER_DEPLOYMENT_FILE
>
> These are public fields in a public class. Can applets look at these
> variables and identify restricted user information (such as username)?
> We had similar security issues in the past:
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3860
>

Signed one can, unsigned can not.

ty!

J.

More information about the distro-pkg-dev mailing list