jdic
  1. jdic
  2. JDIC-164

Action.execute() does not check execution right

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Blocker Blocker
    • Resolution: Unresolved
    • Affects Version/s: Branch-Issue_74-78
    • Fix Version/s: None
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: All

    • Issuezilla Id:
      164

      Description

      I have some security concerns about Action.execute(). This method should at
      least call SecurityManager.checkExec().

      The current UnixLaunchUtility and WinAssociationProvider could use
      Runtime.exec() instead of native methods – this might be preferable.

        Activity

        chas created issue -
        Hide
        paul_huang added a comment -

        Chas,

        Could you please help to make a patch for this issue?

        Thanks

        -Paul

        Show
        paul_huang added a comment - Chas, Could you please help to make a patch for this issue? Thanks -Paul
        Hide
        chas added a comment -

        We can't use Runtime.exec() because we want a new console and the new process
        should be detached from this one.

        Next patch adds security to both UnixLaunchUtility and WinAssociationProvider:

        + final SecurityManager security = System.getSecurityManager();
        + if (security != null)
        + security.checkExec(path);

        Additionally, the WinAssociationProvider was reworked: %1 is expanded to a 8.3
        filename; %L is expanded to a long filename. The security.checkExec() method is
        always given the long filename of the executable.

        Show
        chas added a comment - We can't use Runtime.exec() because we want a new console and the new process should be detached from this one. Next patch adds security to both UnixLaunchUtility and WinAssociationProvider: + final SecurityManager security = System.getSecurityManager(); + if (security != null) + security.checkExec(path); Additionally, the WinAssociationProvider was reworked: %1 is expanded to a 8.3 filename; %L is expanded to a long filename. The security.checkExec() method is always given the long filename of the executable.
        Hide
        chas added a comment -

        Created an attachment (id=141)
        add SecurityManager.checkExec() before process creation

        Show
        chas added a comment - Created an attachment (id=141) add SecurityManager.checkExec() before process creation
        Hide
        paul_huang added a comment -

        Patch accepted. Check into CVS branch.

        Show
        paul_huang added a comment - Patch accepted. Check into CVS branch.
        kenaiadmin made changes -
        Field Original Value New Value
        issue.field.bugzillaimportkey 164 96133

          People

          • Assignee:
            paul_huang
            Reporter:
            chas
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: