From 734d3800792d3b1825eb3101227eae519311871e Mon Sep 17 00:00:00 2001 From: Omair Majid Date: Wed, 24 Nov 2010 14:15:11 -0500 Subject: CVE-2010-3860 IcedTea System property information leak via public static 2010-11-24 Omair Majid * netx/net/sourceforge/jnlp/runtime/Boot.java: Remove basedir option. Add NETX_ABOUT_FILE. (run): Remove call to JNLPRuntime.setBaseDir. (getAboutFile): Use the constant in this file, not JNLPRuntime. (getBaseDir): Remove obsolete method. * netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java: Remove baseDir, USER, HOME_DIR, NETXRC_FILE, NETX_DIR, SECURITY_DIR, CERTFICIATES_FILE, JAVA_HOME_DIR, NETX_ABOUT_FILE. (initialize): Do not set baseDir. (getBaseDir): Remove method. (setBaseDir): Likewise. (getDefaultBaseDir): Likewise. (getProperties): Likewise. * netx/net/sourceforge/jnlp/security/SecurityUtil.java (getTrustedCertsFilename): Delegate to KeyStores.getKeyStoreLocation. * plugin/icedteanp/java/sun/applet/PluginAppletSecurityContext.java (PluginAppletSecurityContext): Remove call to obsolete method. --- plugin/icedteanp/java/sun/applet/PluginAppletSecurityContext.java | 5 ----- 1 file changed, 5 deletions(-) (limited to 'plugin') diff --git a/plugin/icedteanp/java/sun/applet/PluginAppletSecurityContext.java b/plugin/icedteanp/java/sun/applet/PluginAppletSecurityContext.java index bef2bd8..eb68371 100644 --- a/plugin/icedteanp/java/sun/applet/PluginAppletSecurityContext.java +++ b/plugin/icedteanp/java/sun/applet/PluginAppletSecurityContext.java @@ -250,11 +250,6 @@ public class PluginAppletSecurityContext { public PluginAppletSecurityContext(int identifier) { this.identifier = identifier; - - // also, override the basedir, use a different one for the plugin - File f = new File(System.getProperty("user.home") + "/.icedteaplugin/"); - f.mkdir(); - JNLPRuntime.setBaseDir(f); // We need a security manager.. and since there is a good chance that // an applet will be loaded at some point, we should make it the SM -- cgit v1.2.3