commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Trejkaz (JIRA)" <>
Subject [jira] [Commented] (COLLECTIONS-538) ExtendedProperties causes AccessControlException when framework is called from a script
Date Mon, 15 Dec 2014 05:32:13 GMT


Trejkaz commented on COLLECTIONS-538:

We use templates as something the user can customise. Users can therefore pass templates around
to other users, and a particularly malicious user might find a way to have the template write
to arbitrary files or something.

Velocity may not be lowering privileges when calling methods on template objects either. I
don't know either way, but I figure it's better not to trust it unless someone shows that
it's doing things safely.

If we called Velocity in a privileged block, we might be opening up the final link in that
attack vector, so I'm not exactly keen, no.

> ExtendedProperties causes AccessControlException when framework is called from a script
> ---------------------------------------------------------------------------------------
>                 Key: COLLECTIONS-538
>                 URL:
>             Project: Commons Collections
>          Issue Type: Bug
>          Components: Collection
>    Affects Versions: 3.2.1
>         Environment: Java security manager enabled
>            Reporter: Trejkaz
> We're using Velocity 1.7, which depends upon Commons Collections 3.x series' ExtendedProperties
> ExtendedProperties has these constructors where it looks up the file separator using
the least convenient means possible:
> {code}
>     public ExtendedProperties() {
>         this.fileSeparator = System.getProperty("file.separator");
>         // ...
>     }
> {code}
> For us, this is all being called from untrusted code, so this fails with AccessControlException.
> I think that instead of using the system property here, it is customary to use the File.separator
> If you absolutely _must_ use System.getProperty() to fetch this value, it should at least
be done from a doPrivileged() block.
> Also I had a quick check of Commons Collections 4 to see if this issue had been fixed,
but couldn't immediately see what happened to this class. If it did turn out to have been
fixed in v4, maybe Velocity could be encouraged to update to v4, but I haven't seen any updates
from them in 4 years, so it's probably not a good sign.

This message was sent by Atlassian JIRA

View raw message