-
Bug
-
Resolution: Fixed
-
P4
-
1.1.6
-
b01
-
x86
-
windows_nt
There is a slight security exposure in that numeric or boolean
System properties can be read by an untrusted applet.
The applet viewer normally disables access to system properties,
except for a few which do not reveal sensitive information.
Allowed properties:
"file.separator" File separator (for example, "/")
"java.class.version" Java class version number
"java.vendor" Java vendor-specific string
"java.vendor.url" Java vendor URL
"java.version" Java version number
"line.separator" Line separator
"os.arch" Operating system architecture
"os.name" Operating system name
"path.separator" Path separator (for example, ":")
other properties such as
"java.class.path" Java classpath
"java.home" Java installation directory
"user.dir" User's current working directory
"user.home" User home directory
"user.name" User account name
are disallowed by the appletviewer.
The applet viewer checks whether a System.getProperty() request needs
to be security checked by the following code in AppletSecurity.java
/**
* Applets can access the system property named by <i>key</i>
* only if its twin <i>key.applet</i> property is set to true.
* For example, the property <code>java.home</code> can be read by
* applets only if <code>java.home.applet</code> is <code>true</code>.
*/
public synchronized void checkPropertyAccess(String key) {
if (classLoaderDepth() == 2) {
String prop = System.getProperty(key + ".applet");
boolean allow = new Boolean(prop).booleanValue();
if (allow) {
return;
} else {
throw new AppletSecurityException("checkpropsaccess.key", prop);
}
}
}
The classLoaderDepth would normally be 2 for an untrusted access
AppletSecurity.checkPropertyAccess() <- depth of first class with
Classloader=2
java.lang.System.getProperty()
untrustedApplet() <- loaded by classLoader
but if the applet uses the Long.getLong() method then the
ClassLoaderDepth will be 3
AppletSecurity.checkPropertyAccess() <- depth of first class with
Classloader=3
java.lang.System.getProperty()
java.Long.getLong()
untrustedApplet() <- loaded by classLoader
The applet viewer will not then do the security check.
/**
* Determines the <code>long</code> value of the system property
* with the specified name.
* <p>
* The first argument is treated as the name of a system property.
* System properties are accessible through <code>getProperty</code>
* and , a method defined by the <code>System</code> class. The
* string value of this property is then interpreted as a long value
* and a <code>Long</code> object representing this value is returned.
* <p>
* If the property value begins with "<code>0x</code>" or
* "<code>#</code>", not followed by a minus sign, the rest
* of it is parsed as a hexadecimal integer exactly as for the method
* <code>Long.valueOf</code> with radix 16.
* <p>
* If the property value begins with "<code>0</code>",
* then it is parsed as an octal integer exactly as for the method
* <code>Long.valueOf</code> with radix 8.
* <p>
* Otherwise the property value is parsed as a decimal integer
* exactly as for the method <code>Long.valueOf</code> with radix 10.
* <p>
* Note that, in every case, neither <code>L</code> nor
* <code>l</code> is permitted to appear at the end of the string.
* <p>
* The second argument is the default value. If there is no property
* of the specified name, or if the property does not have the
* correct numeric format, then the second argument is returned
*
* @param nm the property name.
* @param val the default <code>Long</code> value.
* @return the <code>long</code> value of the property.
* @see java.lang.Long#valueOf(java.lang.String, int)
* @see java.lang.System#getProperty(java.lang.String)
* @see java.lang.System#getProperty(java.lang.String, java.lang.String)
* @since JDK1.0
*/
public static Long getLong(String nm, Long val) {
String v = System.getProperty(nm);
if (v != null) {
try {
if (v.startsWith("0x")) {
return Long.valueOf(v.substring(2), 16);
}
if (v.startsWith("#")) {
return Long.valueOf(v.substring(1), 16);
}
if (v.startsWith("0") && v.length() > 1) {
return Long.valueOf(v.substring(1), 8);
}
return Long.valueOf(v);
} catch (NumberFormatException e) {
}
}
return val;
}
Similar problems exist with
Boolean.getBoolean()
Integer.getInteger()
This allows an untrusted applet to get access to any System property whose
value can be parsed as a boolean, int or long.
One possible system property where this could be so is 'user.name',
though of course others are possible.
(There is a slight API asymmetry as Boolean returns a boolean, not the
object wrapper Boolean, whereas getInteger and getLong return
object wrappers Integer and Long. This is not relevant to this problem.)
System properties can be read by an untrusted applet.
The applet viewer normally disables access to system properties,
except for a few which do not reveal sensitive information.
Allowed properties:
"file.separator" File separator (for example, "/")
"java.class.version" Java class version number
"java.vendor" Java vendor-specific string
"java.vendor.url" Java vendor URL
"java.version" Java version number
"line.separator" Line separator
"os.arch" Operating system architecture
"os.name" Operating system name
"path.separator" Path separator (for example, ":")
other properties such as
"java.class.path" Java classpath
"java.home" Java installation directory
"user.dir" User's current working directory
"user.home" User home directory
"user.name" User account name
are disallowed by the appletviewer.
The applet viewer checks whether a System.getProperty() request needs
to be security checked by the following code in AppletSecurity.java
/**
* Applets can access the system property named by <i>key</i>
* only if its twin <i>key.applet</i> property is set to true.
* For example, the property <code>java.home</code> can be read by
* applets only if <code>java.home.applet</code> is <code>true</code>.
*/
public synchronized void checkPropertyAccess(String key) {
if (classLoaderDepth() == 2) {
String prop = System.getProperty(key + ".applet");
boolean allow = new Boolean(prop).booleanValue();
if (allow) {
return;
} else {
throw new AppletSecurityException("checkpropsaccess.key", prop);
}
}
}
The classLoaderDepth would normally be 2 for an untrusted access
AppletSecurity.checkPropertyAccess() <- depth of first class with
Classloader=2
java.lang.System.getProperty()
untrustedApplet() <- loaded by classLoader
but if the applet uses the Long.getLong() method then the
ClassLoaderDepth will be 3
AppletSecurity.checkPropertyAccess() <- depth of first class with
Classloader=3
java.lang.System.getProperty()
java.Long.getLong()
untrustedApplet() <- loaded by classLoader
The applet viewer will not then do the security check.
/**
* Determines the <code>long</code> value of the system property
* with the specified name.
* <p>
* The first argument is treated as the name of a system property.
* System properties are accessible through <code>getProperty</code>
* and , a method defined by the <code>System</code> class. The
* string value of this property is then interpreted as a long value
* and a <code>Long</code> object representing this value is returned.
* <p>
* If the property value begins with "<code>0x</code>" or
* "<code>#</code>", not followed by a minus sign, the rest
* of it is parsed as a hexadecimal integer exactly as for the method
* <code>Long.valueOf</code> with radix 16.
* <p>
* If the property value begins with "<code>0</code>",
* then it is parsed as an octal integer exactly as for the method
* <code>Long.valueOf</code> with radix 8.
* <p>
* Otherwise the property value is parsed as a decimal integer
* exactly as for the method <code>Long.valueOf</code> with radix 10.
* <p>
* Note that, in every case, neither <code>L</code> nor
* <code>l</code> is permitted to appear at the end of the string.
* <p>
* The second argument is the default value. If there is no property
* of the specified name, or if the property does not have the
* correct numeric format, then the second argument is returned
*
* @param nm the property name.
* @param val the default <code>Long</code> value.
* @return the <code>long</code> value of the property.
* @see java.lang.Long#valueOf(java.lang.String, int)
* @see java.lang.System#getProperty(java.lang.String)
* @see java.lang.System#getProperty(java.lang.String, java.lang.String)
* @since JDK1.0
*/
public static Long getLong(String nm, Long val) {
String v = System.getProperty(nm);
if (v != null) {
try {
if (v.startsWith("0x")) {
return Long.valueOf(v.substring(2), 16);
}
if (v.startsWith("#")) {
return Long.valueOf(v.substring(1), 16);
}
if (v.startsWith("0") && v.length() > 1) {
return Long.valueOf(v.substring(1), 8);
}
return Long.valueOf(v);
} catch (NumberFormatException e) {
}
}
return val;
}
Similar problems exist with
Boolean.getBoolean()
Integer.getInteger()
This allows an untrusted applet to get access to any System property whose
value can be parsed as a boolean, int or long.
One possible system property where this could be so is 'user.name',
though of course others are possible.
(There is a slight API asymmetry as Boolean returns a boolean, not the
object wrapper Boolean, whereas getInteger and getLong return
object wrappers Integer and Long. This is not relevant to this problem.)