|
Quick Lists
|
|
Bug ID:
|
4982415
|
|
Votes
|
6
|
|
Synopsis
|
Floppy access in untrusted applet: the sandbox should protect the system
|
|
Category
|
jaxp:other
|
|
Reported Against
|
1.4.2
|
|
Release Fixed
|
|
|
State
|
11-Closed,
Will Not Fix,
bug
|
|
Priority:
|
4-Low
|
|
Related Bugs
|
|
|
Submit Date
|
23-JAN-2004
|
|
Description
|
FULL PRODUCT VERSION :
C:\entw\java>c:\java\1.4.2\01\jre\bin\java -version
java version "1.4.2_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_01-b06)
Java HotSpot(TM) Client VM (build 1.4.2_01-b06, mixed mode)
FULL OS VERSION :
customer Windows XP [Version 5.1.2600]
A DESCRIPTION OF THE PROBLEM :
The problem is that the sandbox should protect the system from untrusted access
to system ressources, such as a floppy drive. But again
like many things in the jdk (see illegalaccess.org for details)
this does not work like printed in the java specification.
Tested on:
- IE 6
- customer 7.2
- Netscape
on WIN32
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
import java.applet.Applet;
public class MyFloppySucks extends Applet {
public void paint(java.awt.Graphics g) {
try {
org. customer .crimson.tree.XmlDocument.createXmlDocument("file:///a:/",fals
e);
}
catch (Exception e) {
System.out.println("Hallo");
}
}
}
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
a) IllegalAccessError on the screen
b) a Java-Fleece-Shirt in the Mail, this is my xx-th bug I submitted to this
database and got no absolutely no acknowledgement for my effort and
time enhancing your product's quality !
ACTUAL -
An alert prompt asking me to enter a floppy into drive a:
ERROR MESSAGES/STACK TRACES THAT OCCUR :
An alert prompt asking me to enter a floppy into drive a:
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
C:\entw\java>more MyFloppySucks.java
import java.applet.Applet;
public class MyFloppySucks extends Applet {
public void paint(java.awt.Graphics g) {
while (1==1)
try {
org. customer .crimson.tree.XmlDocument.createXmlDocument("file:///a:/",fals
e);
}
catch (Exception e) {
System.out.println("Hallo");
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
use linux
(Incident Review ID: 215101)
======================================================================
|
|
Work Around
|
N/A
|
|
Evaluation
|
The crimson xml parse is bundle in j2se1.4, this bug has been reproduced in JRE 1.4.2. But I think this is due to apache crimson package is included inside rt.jar, not a Java plugin bug.
Anyway, I want to test it in our JRE 1.5, but crimson is not in 1.5 anymore (I think we use Xerces2?). Where is this call XmlDocument.createXmlDocument() in JRE 1.5? Please tell me and I can test it in 1.5.
xxxxx@xxxxx 2004-01-29
|
|
Comments
|
Submitted On 23-JAN-2004
schonef2
The submit date was 2 month earlier !
PLEASE NOTE: JDK6 is formerly known as Project Mustang
|
|
|
|
