Local file access change with new Java update
Mario Torre
neugens.limasoftware at gmail.com
Thu Jul 11 06:43:10 PDT 2013
2013/7/11 Gregg Wonderly <gregg at wonderly.org>:
> It seems rather unfortunate that obscurity is being pushed as a form of security. It isn't, that's why security problems are discovered in the field. You can't obscure problems forever. The subtle implication is that "file:" urls are treated specially by the security manager, in applet mode, compared to network based urls.
This is not really security-by-obscurity. The security patch is out,
everybody can study it. I'm also sure you can find enough information
if you know where to search. Nobody really hopes that not sharing the
security details will prevent people from exploiting the unpatched
systems. The only reason why details are not discussed in public is to
not make it too easy for people to reproduce the issue. Sometimes you
also have NDA or other legal matters preventing you from a public
discussion. Note, I'm not saying this is the case for this patch, just
saying this is how things work usually.
Can Security be handled better? Yes, probably. But the discussion on
how to improve it should be moved to the Governing Board in my
opinion. If you want to have your voice heard, join the Java Community
and participate; criticisms welcomed, as long as it's constructive.
Cheers,
Mario
--
pgp key: http://subkeys.pgp.net/ PGP Key ID: 80F240CF
Fingerprint: BA39 9666 94EC 8B73 27FA FC7C 4086 63E3 80F2 40CF
IcedRobot: www.icedrobot.org
Proud GNU Classpath developer: http://www.classpath.org/
Read About us at: http://planet.classpath.org
OpenJDK: http://openjdk.java.net/projects/caciocavallo/
Please, support open standards:
http://endsoftpatents.org/
More information about the macosx-port-dev
mailing list