harmony-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Ellison (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (HARMONY-2163) [classlib][security] Changing system property java.home may cause incorrect initialization of java.security.Security class
Date Fri, 24 Nov 2006 12:28:03 GMT
     [ http://issues.apache.org/jira/browse/HARMONY-2163?page=all ]

Tim Ellison resolved HARMONY-2163.
----------------------------------

    Resolution: Fixed

Thanks Yuri.

Fixed in SECURITY modue at repo revision r478857.

Please check that this fully resolves your issue.



> [classlib][security] Changing system property java.home may cause incorrect initialization
of java.security.Security class
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HARMONY-2163
>                 URL: http://issues.apache.org/jira/browse/HARMONY-2163
>             Project: Harmony
>          Issue Type: Bug
>          Components: Classlib
>            Reporter: Yuri Dolgov
>         Assigned To: Tim Ellison
>
> Problem details: 
> Changing java.home system property causes incorrect initialization of java.security.Security
class. During the class initialization 'java.security' file is read. The file is located with
java.home system property. Changing java.home system property before Security class initilaization
results in impossibility to locate correct 'java.security' file. That leads to problems with
loading providers (see test below). Also there is possibility to load malicious 'java.security'
file.
>  
> The following test reproduces the issue:
>  
> Test.java
>  
> import java.security.MessageDigest;
> public class Test {
>     public static void main (String[] args) {
>         try {
>             System.setProperty("java.home", "foo/path");
>             MessageDigest md = MessageDigest.getInstance("SHA-1");
>         } catch (Exception e) {
>             e.printStackTrace();
>         }
>     }
> }

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message