Loading...

Type: Bug
Resolution: Not an Issue
Priority: P4
Fix Version/s: None
Affects Version/s: 1.2.0
Component/s: client-libs
Labels:
- jdcinclude
- webbug

Subcomponent:
javax.swing
CPU:

generic, sparc
OS:

generic, solaris_2.5.1

Name: krT82822 Date: 04/20/99

JFileChooser checks to see if it has write permission to the
current directory before enabling the newFolder action. However,
it does not catch the resulting security exception if it does
not have permission. This causes the JFileChooser to die if
the program is configured for read but not write access.

The offending lines are:

(in Swing 1.1.1beta2) line 530 of javax.swing.plaf.metal.MetalFileChooserUI
(in JDK 1.2 bundle) line 493 of javax.swing.plaf.metal.MetalFileChooserUI

A simple test case to reproduce this bug is:

import javax.swing.*;

public class test extends JApplet {
   public void init () {
      try {
         new JFileChooser ().showOpenDialog (this);
      } catch (SecurityException e) {
         e.printStackTrace ();
      }
   }
}

with the policy file:

grant {
  permission java.io.FilePermission "<<ALL FILES>>", "read";
};

grant {
  permission java.util.PropertyPermission "user.home", "read";
};
(Review ID: 57163)
======================================================================

Name: krT82822 Date: 07/06/99

I have written an application, which used a security manager
and security policies to limit file system access to one
directory only.

Then I decided to add a JFileChooser-Dialog to open a file and
the I got a lot of surprising and unwanted exceptions.

JFileChooser needed not only read access to my directory but also
write access and read access to every parent directory and to
every child directory.

And the real bug is, at least I see it as bug:
- I am able to view the content of every directory my user-id is
   allowed to and only the directories i have given the
   java.io.FilePermission read.
- I am able to create a new Directory with the JFileChooser
   NewFolder-Icon, but I have never given any write or execute
   java.io.FilePermissions for that directory (not even read).

To produce the bug, do the following:
- make sure your current directory is NOT /tmp
- java -Djava.security.policy==test.policy testFileChooser /tmp
- use the JFileChooser to change to /tmp and click the
  NewFolder-Icon and a new directory is created.
- use the JFileChooser to look in every directory you like.

Source code:
import java.awt.*;
import java.awt.event.*;
import javax.swing.*;
import java.security.*;
import java.io.*;
import java.net.*;

public class testFileChooser {

    private JFileChooser jfc;
    private String dir;
    private String testDir;

    public testFileChooser(String dir, String tdir) {
this.dir = dir;
testDir = tdir;
jfc = new JFileChooser(this.dir);
    }

    public void showIt() {
int result = jfc.showOpenDialog((Component)null);
if(result==JFileChooser.APPROVE_OPTION) {
File f=jfc.getSelectedFile();

try {
FileInputStream fis = new FileInputStream(f);

while(fis.read()!=-1) ;
fis.close();
System.out.println("should throw exception, if outside "+
dir);
} catch (Exception e2) {
System.out.println("The expected exception:"+
e2.toString());
}
}
System.exit(0);
    }

    public void testFile() {
try {
File newDir = new File(testDir+ File.separator+ "newdir");
newDir.mkdirs();
} catch (Exception e) {
System.out.println("The expected exception:"+
e.toString());
}

    }

    public static void main(String argv[]) {

if(System.getSecurityManager()==null) {
System.setSecurityManager(new SecurityManager());
}

String currentDir = System.getProperty("user.dir");
Policy p = Policy.getPolicy();
try {
System.out.println("Current Policy:"+
p.getPermissions(new
CodeSource(new
URL("file:"+currentDir),
null)).toString());
} catch (Exception e) {}
testFileChooser tfc = new testFileChooser(currentDir, argv[0]);

tfc.testFile();
tfc.showIt();
    }
}

Policy-File:
/* AUTOMATICALLY GENERATED ON Mon Feb 08 13:58:18 CET 1999*/
/* DO NOT EDIT */

keystore "/home/kant/projekte/siata/siata.keystore", "jks";

grant codeBase "file:${java.home}/lib/ext/-" {
  permission java.security.AllPermission;
};

grant {
  permission java.lang.RuntimePermission "stopThread";
  permission java.net.SocketPermission "localhost:1024-", "listen";
  permission java.util.PropertyPermission "java.version", "read";
  permission java.util.PropertyPermission "java.vendor", "read";
  permission java.util.PropertyPermission "java.vendor.url", "read";
  permission java.util.PropertyPermission "java.class.version", "read";
  permission java.util.PropertyPermission "os.name", "read";
  permission java.util.PropertyPermission "os.version", "read";
  permission java.util.PropertyPermission "os.arch", "read";
  permission java.util.PropertyPermission "file.separator", "read";
  permission java.util.PropertyPermission "path.separator", "read";
  permission java.util.PropertyPermission "line.separator", "read";
  permission java.util.PropertyPermission "java.specification.version", "read";
  permission java.util.PropertyPermission "java.specification.vendor", "read";
  permission java.util.PropertyPermission "java.specification.name", "read";
  permission java.util.PropertyPermission "java.vm.specification.version", "read";
  permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
  permission java.util.PropertyPermission "java.vm.specification.name", "read";
  permission java.util.PropertyPermission "java.vm.version", "read";
  permission java.util.PropertyPermission "java.vm.vendor", "read";
  permission java.util.PropertyPermission "java.vm.name", "read";
};

grant codeBase "file:/home/kant/projekte/siata/test/loader" {
  permission java.security.AllPermission;
};

grant codeBase "file:/home/kant/projekte/siata/test/" {
  permission java.awt.AWTPermission "accessEventQueue";
  permission java.io.FilePermission "/home/kant/projekte/siata/-", "read, write, delete, execute";
  permission java.io.FilePermission "/", "read";
  permission java.util.PropertyPermission "user.home", "read";
  permission java.io.FilePermission "${user.home}", "write, read";
  permission java.io.FilePermission "/home/-", "read";
  permission java.io.FilePermission "/home/dai", "read";
  permission java.io.FilePermission "${user.home}/-", "read";
  permission java.io.FilePermission "/home", "read";
};

grant codeBase "file:/home/dai/kbsufka/siata/work/bug" {
  permission java.lang.RuntimePermission "createSecurityManager";
  permission java.lang.RuntimePermission "setSecurityManager";
  permission java.util.PropertyPermission "user.dir", "read, write";
  permission java.security.SecurityPermission "getPolicy";
  permission java.awt.AWTPermission "accessEventQueue";
  permission java.io.FilePermission "/", "read";
  permission java.io.FilePermission "/home/dai/kbsufka/siata/work/bug", "read, write";
  permission java.io.FilePermission "/home", "read";
  permission java.io.FilePermission "/home/dai", "read";
  permission java.io.FilePermission "/home/dai/kbsufka", "read";
  permission java.io.FilePermission "/home/dai/kbsufka/siata", "read";
  permission java.io.FilePermission "/home/dai/kbsufka/siata/work", "read";
  permission java.io.FilePermission "/home/dai/kbsufka/siata/work/bug/*", "read";
};
(Review ID: 53878)
======================================================================

relates to

JDK-4346409 JFileChooser ignores permission on directories.

Closed

Details

Description

Attachments

Issue Links

Activity

People

Dates