security manager not consulted when reading symbolic link.
Martin Buchholz
martinrb at google.com
Tue Nov 12 13:27:29 PST 2013
When UnixFileSystemProvider
creates a symbolic link, it does:
// permission check
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new LinkPermission("symbolic"));
link.checkWrite();
}
but when it reads a symbolic link, it does:
// permission check
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
FilePermission perm = new
FilePermission(link.getPathForPermissionCheck(),
SecurityConstants.FILE_READLINK_ACTION);
AccessController.checkPermission(perm);
}
which bypasses the security manager. Which seems like a bug.
Why not have parallel code, most obviously
sm.checkPermission(perm);
link.checkRead();
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/nio-dev/attachments/20131112/6c993301/attachment.html
More information about the nio-dev
mailing list