Return-Path: X-Original-To: apmail-commons-issues-archive@minotaur.apache.org Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 531B3C254 for ; Wed, 17 Dec 2014 14:30:15 +0000 (UTC) Received: (qmail 52310 invoked by uid 500); 17 Dec 2014 14:30:15 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 52189 invoked by uid 500); 17 Dec 2014 14:30:15 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 52047 invoked by uid 99); 17 Dec 2014 14:30:15 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Dec 2014 14:30:15 +0000 Date: Wed, 17 Dec 2014 14:30:15 +0000 (UTC) From: "Thomas Neidhart (JIRA)" To: issues@commons.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (COLLECTIONS-538) ExtendedProperties causes AccessControlException when framework is called from a script MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/COLLECTIONS-538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14249885#comment-14249885 ] Thomas Neidhart edited comment on COLLECTIONS-538 at 12/17/14 2:29 PM: ----------------------------------------------------------------------- And giving the permission to read system properties to the commons-collections lib is not an option in your case? I understand it is annoying, but as I said, it is very unlikely that we will release a new 3.x lib, at least in the near future. was (Author: tn): And giving the application the permission to read system properties is not an option? > ExtendedProperties causes AccessControlException when framework is called from a script > --------------------------------------------------------------------------------------- > > Key: COLLECTIONS-538 > URL: https://issues.apache.org/jira/browse/COLLECTIONS-538 > Project: Commons Collections > Issue Type: Bug > Components: Collection > Affects Versions: 3.2.1 > Environment: Java security manager enabled > Reporter: Trejkaz > > We're using Velocity 1.7, which depends upon Commons Collections 3.x series' ExtendedProperties class. > ExtendedProperties has these constructors where it looks up the file separator using the least convenient means possible: > {code} > public ExtendedProperties() { > this.fileSeparator = System.getProperty("file.separator"); > // ... > } > {code} > For us, this is all being called from untrusted code, so this fails with AccessControlException. > I think that instead of using the system property here, it is customary to use the File.separator constant. > If you absolutely _must_ use System.getProperty() to fetch this value, it should at least be done from a doPrivileged() block. > Also I had a quick check of Commons Collections 4 to see if this issue had been fixed, but couldn't immediately see what happened to this class. If it did turn out to have been fixed in v4, maybe Velocity could be encouraged to update to v4, but I haven't seen any updates from them in 4 years, so it's probably not a good sign. -- This message was sent by Atlassian JIRA (v6.3.4#6332)