harmony-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "varun srivastava (JIRA)" <j...@apache.org>
Subject [jira] Reopened: (HARMONY-6367) [classlib] Some Methods doesn't have security Permissions check as compared to SUN JDK.
Date Tue, 09 Nov 2010 17:58:06 GMT

     [ https://issues.apache.org/jira/browse/HARMONY-6367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

varun srivastava reopened HARMONY-6367:
---------------------------------------


Sorry to reopen this [ all previous ones are fixed]. Just want to add one more related security
vulnerability here. 

In class DatagramSocket , method connect(InetAddress anAddress, int aPort) should also check
for checkAccept() before making connection. The call can be used by server and without this
security check, clients IPs barred from getting Accepted will also get connected.

> [classlib] Some Methods doesn't have security Permissions check as compared to SUN JDK.
> ---------------------------------------------------------------------------------------
>
>                 Key: HARMONY-6367
>                 URL: https://issues.apache.org/jira/browse/HARMONY-6367
>             Project: Harmony
>          Issue Type: Bug
>          Components: Classlib
>    Affects Versions: 5.0M11
>         Environment: JDK Security permission checks
>            Reporter: varun srivastava
>            Assignee: Tim Ellison
>            Priority: Critical
>             Fix For: 5.0M12
>
>   Original Estimate: 96h
>  Remaining Estimate: 96h
>
> Following Methods doesn't have security Permissions as compared to SUN JDK.
> -----------------------------------------------------------------------------------------------------------------
> 1) java.net.URL: java.net.URLConnection openConnection(java.net.Proxy) - "checkConnect"
missing in Harmony. Sun perform checkConnect if proxy is present. It checks whether user is
allowed to connect to proxy.
> 2) java.net.ServerSocket: void implAccept(java.net.Socket) : Harmony missing checkAccept
in protected method. Anyone can create a subclass of SerSocket and accept connections.
> 3) java.net.SocketPermission: boolean equals(java.lang.Object)  - Harmony use getHostNameInternal
method instead of calling getByName as done in Sun, to retrieve host name of the machine.
Thats why checkConnect is never called before retrieving hostname.
> 4) java.security.Provider: void load(java.io.InputStream) - Harmony misses checkSecurityAccess("putProviderProperty."
+ name) check
> 5) java.security.ProtectionDomain: java.lang.String toString() - Harmony doesn't have
checkPermission(SecurityConstants.GET_POLICY_PERMISSION)
> check in case Policy. isSet for dynamicPerms.
> -
> Varun Srivastava
> UT Austin

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message