[rfc][icedtea-web] DeploymentPropertiesAreExposed reproducer fix

Jiri Vanek jvanek at redhat.com
Mon Sep 16 07:02:08 PDT 2013


On 09/13/2013 10:13 PM, Omair Majid wrote:
> Hi Andrew,
>
> On 09/13/2013 04:06 PM, Andrew Azores wrote:
>> --- a/netx/net/sourceforge/jnlp/config/Defaults.java
>> +++ b/netx/net/sourceforge/jnlp/config/Defaults.java
>
>> -    final static String USER_CONFIG_HOME;
>> +    public final static String USER_CONFIG_HOME;
>>       public final static String USER_CACHE_HOME;
>
> One not-immediately-obvious consequence of making these variables public
> is that a random untrusted program might be able to look at them and
> guess the value of System.getProperty("user.home"). That would be
> leaking information and a security hole.
>
> Thankfully, icedtea-web does disallow access to net.sourceforge.jnlp.**
> packages so accessing the Defaults class should not be possible in
> general. But I am still going to strongly encourage you to not expose
> information.
>
> Thanks,
> Omair
>

Yes it is interesting. From this point of view (and as Jacob picked up easily fake-able) both
 >> +    public final static String USER_CONFIG_HOME;
 >>       public final static String USER_CACHE_HOME;
and also all other for-testing-package-private should become private and in tests used via 
reflection only...

Well its not nice:(

Any opinion?



More information about the distro-pkg-dev mailing list