Name: akR10050 Date: 08/07/2003



On Windows XP platform Runtime.exec(String[], String[]) sets only the
environment variables specified in the second argument. For examples, TEMP
variable is not taken from the system environment unless explicitly specified.
Dropping TEMP results in that java.io.tmpdir property points to the system root
which is a security risk.

Here is a part of specification for Runtime.exec(String[], String[]):

------------- begin
Given an array of strings cmdarray, representing the tokens of a command
line, and an array of strings envp, representing "environment" variable
settings, this method creates a new process in which to execute the specified
command.

If envp is null, the subprocess inherits the environment settings of the current
process.
------------- end

While this behaviour may look to be in accordance with the specification, it
contradicts with implementations for other platforms where TEMP is always set
for a new process.

Below is an example demonstrating the behaviour (Test23 invokes Test22 using
Runtime.exec()):

--- Test22.java
import java.io.*;
public class Test22 {
    public static void main(String[] args) {
        System.out.print("Value of java.io.tmpdir: ");
        System.out.println((System.getProperty("java.io.tmpdir").equals("")) ?
                "empty": System.getProperty("java.io.tmpdir"));
        try {
            File.createTempFile("test", "tmp");
        } catch (IOException ioe) {
            ioe.printStackTrace(System.err);
        }
    }
}
--- end of Test22.java

--- Test23.java
import java.io.*;

public class Test23 {
    public static void main(String[] args) {
        if ( args.length != 2 ) {
            System.out.println("Usage: ");
            System.out.println(" java Test23 <java-launcher> <classpath>");
            return;
        }
        try {
            Process p =
                Runtime.getRuntime().exec(new String[] {
                        args[0],
                        "-cp", args[1], "Test22" }, new String[] {} );
            InputStream is = p.getInputStream();
            int i = -1;
            int count = 0;
            while ( (i=is.read()) != -1 ) {
                System.out.print((char)i);
            }
            System.err.println("Exit value: " + p.waitFor());
        } catch (Exception ioe) {
            ioe.printStackTrace(System.out);
        }
    }
}
--- end of Test23.java

--- Output (Linux)
$ /set/java/jdk1.5/linux/bin/java -cp ~/classes Test23 /set/java/jdk1.5/linux/bin/java ~/classes
Value of java.io.tmpdir: /tmp
Exit value: 0
--- End Linux output

--- Output (Solaris)
$ /set/java/jdk1.5/solaris/bin/java -cp ~/classes Test23 /set/java/jdk1.5/solaris/bin/java ~/classes
Value of java.io.tmpdir: /var/tmp/
Exit value: 0
--- End Solaris output

--- Output (WinXP)
C:\>Y:\JDK1.5.0b12\windows-i586\bin\java.exe -cp X:\classes Test23 Y:\JDK1.5.0b12\windows-i586\bin\java.exe X:\classes
Value of java.io.tmpdir: C:\WINDOWSExit value: 0
--- End WinXP output

Any routine using temp directory (File.createTempFile() is an example) will
either fail or write to system root, depending on priviledge level.

======================================================================