Details
-
Bug
-
Resolution: Fixed
-
P1
-
1.1.4
-
1.1.5
-
sparc
-
solaris_2.5.1
-
Verified
Description
I fixed 4016360, and this led to discovering the following attack:
Using the ClassLoader.getSystemResource() method,
you can construct a file existence attack on files in directories
listed on CLASSPATH. This is because the sysresouce API constructs a
URL by first checking if the file exists -- so if you get a URL, this
means that file does exist and you can look at the directory it is in
by doing a toString() on the returned URL. If you get null, the file
doesn't exist. Of course, you cannot read the file, just do an
existence attack.
There are a coupla fixes for this:
- mangle the URL string with a private key generated at
runtime, and private to the VM.
- do the file existence check at the Java level, rather than
at the C level (with sysOpen). This will cause a Java level
security exception that we can then swallow (as we do for
4062427).
Bill Shannon remarks that we should commit to fix this for 1.1.5.
anand.palaniswamy@Eng 1997-09-19
Using the ClassLoader.getSystemResource() method,
you can construct a file existence attack on files in directories
listed on CLASSPATH. This is because the sysresouce API constructs a
URL by first checking if the file exists -- so if you get a URL, this
means that file does exist and you can look at the directory it is in
by doing a toString() on the returned URL. If you get null, the file
doesn't exist. Of course, you cannot read the file, just do an
existence attack.
There are a coupla fixes for this:
- mangle the URL string with a private key generated at
runtime, and private to the VM.
- do the file existence check at the Java level, rather than
at the C level (with sysOpen). This will cause a Java level
security exception that we can then swallow (as we do for
4062427).
Bill Shannon remarks that we should commit to fix this for 1.1.5.
anand.palaniswamy@Eng 1997-09-19