P3
FULL PRODUCT VERSION :
java version " 1.7.0_09 "
Java(TM) SE Runtime Environment (build 1.7.0_09-b05)
Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux rotty-desktop 3.5.0-22-generic #34-Ubuntu SMP Tue Jan 8 21:47:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
When checking SocketPermissions a reverse domain lookup is performed against the resolved IP address. However, it is entirely possible (and in this day and age, probable) that the name resolved for the IP is not the same as the original domain.
Given the following code snippet:
Socket socket = new Socket( " www.google.ca " , 80);
socket.close();
And having applied the following security policy:
grant {
permission java.net.SocketPermission " *.ca:80 " , " connect " ;
};
The result is:
Exception in thread " main " java.security.AccessControlException: access denied ( " java.net.SocketPermission " " www.google.ca " " resolve " )
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
at java.security.AccessController.checkPermission(AccessController.java:560)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1048)
at java.net.InetAddress.getAllByName0(InetAddress.java:1203)
at java.net.InetAddress.getAllByName(InetAddress.java:1127)
at java.net.InetAddress.getAllByName(InetAddress.java:1063)
at java.net.InetAddress.getByName(InetAddress.java:1013)
at java.net.InetSocketAddress.<init>(InetSocketAddress.java:142)
at java.net.Socket.<init>(Socket.java:208)
at example.security.SocketSecurityExample.test(SocketSecurityExample.java:13)
at example.security.SocketSecurityExample.main(SocketSecurityExample.java:9)
Meanwhile, changing the policy to:
grant {
permission java.net.SocketPermission " *.1e100.net:80 " , " connect " ;
};
results in proper execution of the code (at least on the day, and from the original location, the test took place).
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- compile the following class:
package example.security;
import java.net.Socket;
public class SocketSecurityExample {
public static void main(String[] args) throws Exception {
Socket socket = new Socket( " www.google.ca " , 80);
socket.close();
}
}
- create the following security.policy file:
grant {
permission java.net.SocketPermission " *.ca:80 " , " connect " ;
};
- execute as:
java -Djava.security.manager -Djava.security.policy=security.policy example.security.SocketSecurityExample
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expect that the code does not result in an error.
ACTUAL -
Exception in thread " main " java.security.AccessControlException: access denied ( " java.net.SocketPermission " " www.google.ca " " resolve " )
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
at java.security.AccessController.checkPermission(AccessController.java:560)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1048)
at java.net.InetAddress.getAllByName0(InetAddress.java:1203)
at java.net.InetAddress.getAllByName(InetAddress.java:1127)
at java.net.InetAddress.getAllByName(InetAddress.java:1063)
at java.net.InetAddress.getByName(InetAddress.java:1013)
at java.net.InetSocketAddress.<init>(InetSocketAddress.java:142)
at java.net.Socket.<init>(Socket.java:208)
at example.security.SocketSecurityExample.test(SocketSecurityExample.java:13)
at example.security.SocketSecurityExample.main(SocketSecurityExample.java:9)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread " main " java.security.AccessControlException: access denied ( " java.net.SocketPermission " " www.google.ca " " resolve " )
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
at java.security.AccessController.checkPermission(AccessController.java:560)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1048)
at java.net.InetAddress.getAllByName0(InetAddress.java:1203)
at java.net.InetAddress.getAllByName(InetAddress.java:1127)
at java.net.InetAddress.getAllByName(InetAddress.java:1063)
at java.net.InetAddress.getByName(InetAddress.java:1013)
at java.net.InetSocketAddress.<init>(InetSocketAddress.java:142)
at java.net.Socket.<init>(Socket.java:208)
at example.security.SocketSecurityExample.test(SocketSecurityExample.java:13)
at example.security.SocketSecurityExample.main(SocketSecurityExample.java:9)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
package example.security;
import java.net.Socket;
public class SocketSecurityExample {
public static void main(String[] args) throws Exception {
Socket socket = new Socket( " www.google.ca " , 80);
socket.close();
}
}
---------- END SOURCE ----------
java version " 1.7.0_09 "
Java(TM) SE Runtime Environment (build 1.7.0_09-b05)
Java HotSpot(TM) 64-Bit Server VM (build 23.5-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux rotty-desktop 3.5.0-22-generic #34-Ubuntu SMP Tue Jan 8 21:47:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
When checking SocketPermissions a reverse domain lookup is performed against the resolved IP address. However, it is entirely possible (and in this day and age, probable) that the name resolved for the IP is not the same as the original domain.
Given the following code snippet:
Socket socket = new Socket( " www.google.ca " , 80);
socket.close();
And having applied the following security policy:
grant {
permission java.net.SocketPermission " *.ca:80 " , " connect " ;
};
The result is:
Exception in thread " main " java.security.AccessControlException: access denied ( " java.net.SocketPermission " " www.google.ca " " resolve " )
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
at java.security.AccessController.checkPermission(AccessController.java:560)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1048)
at java.net.InetAddress.getAllByName0(InetAddress.java:1203)
at java.net.InetAddress.getAllByName(InetAddress.java:1127)
at java.net.InetAddress.getAllByName(InetAddress.java:1063)
at java.net.InetAddress.getByName(InetAddress.java:1013)
at java.net.InetSocketAddress.<init>(InetSocketAddress.java:142)
at java.net.Socket.<init>(Socket.java:208)
at example.security.SocketSecurityExample.test(SocketSecurityExample.java:13)
at example.security.SocketSecurityExample.main(SocketSecurityExample.java:9)
Meanwhile, changing the policy to:
grant {
permission java.net.SocketPermission " *.1e100.net:80 " , " connect " ;
};
results in proper execution of the code (at least on the day, and from the original location, the test took place).
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- compile the following class:
package example.security;
import java.net.Socket;
public class SocketSecurityExample {
public static void main(String[] args) throws Exception {
Socket socket = new Socket( " www.google.ca " , 80);
socket.close();
}
}
- create the following security.policy file:
grant {
permission java.net.SocketPermission " *.ca:80 " , " connect " ;
};
- execute as:
java -Djava.security.manager -Djava.security.policy=security.policy example.security.SocketSecurityExample
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expect that the code does not result in an error.
ACTUAL -
Exception in thread " main " java.security.AccessControlException: access denied ( " java.net.SocketPermission " " www.google.ca " " resolve " )
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
at java.security.AccessController.checkPermission(AccessController.java:560)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1048)
at java.net.InetAddress.getAllByName0(InetAddress.java:1203)
at java.net.InetAddress.getAllByName(InetAddress.java:1127)
at java.net.InetAddress.getAllByName(InetAddress.java:1063)
at java.net.InetAddress.getByName(InetAddress.java:1013)
at java.net.InetSocketAddress.<init>(InetSocketAddress.java:142)
at java.net.Socket.<init>(Socket.java:208)
at example.security.SocketSecurityExample.test(SocketSecurityExample.java:13)
at example.security.SocketSecurityExample.main(SocketSecurityExample.java:9)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread " main " java.security.AccessControlException: access denied ( " java.net.SocketPermission " " www.google.ca " " resolve " )
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
at java.security.AccessController.checkPermission(AccessController.java:560)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1048)
at java.net.InetAddress.getAllByName0(InetAddress.java:1203)
at java.net.InetAddress.getAllByName(InetAddress.java:1127)
at java.net.InetAddress.getAllByName(InetAddress.java:1063)
at java.net.InetAddress.getByName(InetAddress.java:1013)
at java.net.InetSocketAddress.<init>(InetSocketAddress.java:142)
at java.net.Socket.<init>(Socket.java:208)
at example.security.SocketSecurityExample.test(SocketSecurityExample.java:13)
at example.security.SocketSecurityExample.main(SocketSecurityExample.java:9)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
package example.security;
import java.net.Socket;
public class SocketSecurityExample {
public static void main(String[] args) throws Exception {
Socket socket = new Socket( " www.google.ca " , 80);
socket.close();
}
}
---------- END SOURCE ----------