Add security checks for save and load in DeploymentConfiguration

2010-10-27 Omair Majid <[email protected]> * netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java (load): Do a security check at start. A security exception later on may accidentally reveal a filename or a system property. (save): Likewise.
author: Omair Majid <[email protected]> 2010-10-27 12:55:00 -0400
committer: Omair Majid <[email protected]> 2010-10-27 12:55:00 -0400
commit: 113056bc664b2a0ee61073de74a75f19539c67ab (patch)
tree: d573cb0512ea15e3a780daf9334452414998a39d /netx/net/sourceforge
parent: 55e18bbbb2bdbc25bb38f315648a4b5035533df6 (diff)
1 files changed, 21 insertions, 3 deletions
diff --git a/netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java b/netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java
index abfcd1c..bc4ea7b 100644
--- a/netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java
+++ b/netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java
@@ -155,6 +155,15 @@ public final class DeploymentConfiguration {
      * @throws DeploymentException if it encounters a fatal error.
      */
     public void load() throws ConfigurationException {
+        // make sure no state leaks if security check fails later on
+        File userFile = new File(System.getProperty("user.home") + File.separator + ".netx"
+                + File.separator + DEPLOYMENT_PROPERTIES);
+
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            sm.checkRead(userFile.toString());
+        }
+
         Map<String, ConfigValue> initialProperties = loadDefaultProperties();
 
         Map<String, ConfigValue> systemProperties = null;
@@ -189,8 +198,7 @@ public final class DeploymentConfiguration {
         /*
          * Third, read the user's deployment.properties file
          */
-        userPropertiesFile = new File(System.getProperty("user.home") + File.separator + ".netx"
-                + File.separator + DEPLOYMENT_PROPERTIES);
+        userPropertiesFile = userFile;
         Map<String, ConfigValue> userProperties = loadProperties(ConfigType.User, userPropertiesFile,
                 false);
         if (userProperties != null) {
@@ -466,9 +474,19 @@ public final class DeploymentConfiguration {
     /**
      * Saves all properties that are not part of default or system properties
      *
-     * @throws IOException
+     * @throws IOException if unable to save the file
+     * @throws IllegalStateException if save() is called before load()
      */
     public void save() throws IOException {
+        if (userPropertiesFile == null) {
+            throw new IllegalStateException("must load() before save()");
+        }
+
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            sm.checkWrite(userPropertiesFile.toString());
+        }
+
         if (JNLPRuntime.isDebug()) {
             System.out.println("Saving properties into " + userPropertiesFile.toString());
         }
author	Omair Majid <[email protected]>	2010-10-27 12:55:00 -0400
committer	Omair Majid <[email protected]>	2010-10-27 12:55:00 -0400
commit	113056bc664b2a0ee61073de74a75f19539c67ab (patch)
tree	d573cb0512ea15e3a780daf9334452414998a39d /netx/net/sourceforge
parent	55e18bbbb2bdbc25bb38f315648a4b5035533df6 (diff)