diff options
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java | 24 |
2 files changed, 28 insertions, 3 deletions
@@ -1,3 +1,10 @@ +2010-10-27 Omair Majid <[email protected]> + + * netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java + (load): Do a security check at start. A security exception later on may + accidentally reveal a filename or a system property. + (save): Likewise. + 2010-10-26 Omair Majid <[email protected]> * netx/net/sourceforge/jnlp/Launcher.java diff --git a/netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java b/netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java index abfcd1c..bc4ea7b 100644 --- a/netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java +++ b/netx/net/sourceforge/jnlp/runtime/DeploymentConfiguration.java @@ -155,6 +155,15 @@ public final class DeploymentConfiguration { * @throws DeploymentException if it encounters a fatal error. */ public void load() throws ConfigurationException { + // make sure no state leaks if security check fails later on + File userFile = new File(System.getProperty("user.home") + File.separator + ".netx" + + File.separator + DEPLOYMENT_PROPERTIES); + + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + sm.checkRead(userFile.toString()); + } + Map<String, ConfigValue> initialProperties = loadDefaultProperties(); Map<String, ConfigValue> systemProperties = null; @@ -189,8 +198,7 @@ public final class DeploymentConfiguration { /* * Third, read the user's deployment.properties file */ - userPropertiesFile = new File(System.getProperty("user.home") + File.separator + ".netx" - + File.separator + DEPLOYMENT_PROPERTIES); + userPropertiesFile = userFile; Map<String, ConfigValue> userProperties = loadProperties(ConfigType.User, userPropertiesFile, false); if (userProperties != null) { @@ -466,9 +474,19 @@ public final class DeploymentConfiguration { /** * Saves all properties that are not part of default or system properties * - * @throws IOException + * @throws IOException if unable to save the file + * @throws IllegalStateException if save() is called before load() */ public void save() throws IOException { + if (userPropertiesFile == null) { + throw new IllegalStateException("must load() before save()"); + } + + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + sm.checkWrite(userPropertiesFile.toString()); + } + if (JNLPRuntime.isDebug()) { System.out.println("Saving properties into " + userPropertiesFile.toString()); } |