[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug classpath/24895] New: Directory traversal vulnerability in FilePerm
|
From: |
gbenson at redhat dot com |
|
Subject: |
[Bug classpath/24895] New: Directory traversal vulnerability in FilePermission check |
|
Date: |
16 Nov 2005 16:25:56 -0000 |
java.io.FilePermission does not canonicalize filenames. This causes a
directory traversal vulnerability such that if the security policy grants
permission for some action under some directory then it is possible to perform
that action anywhere on the filesystem.
For example, if the policy grants the following permission:
FilePermission("/tmp/-", "write"));
then it is possible to write to /home by using paths like "/tmp/../home/foo".
Attached is a testcase that demonstrates this. As well as directory traversal
we are almost certainly vulnerable to symlink traversal attacks, but fixing
this issue using File.getCanonicalFile() should fix any symlink issues too.
To use the testcase you need the patches I mailed to classpath-patches earlier
("Patch: infinite loop in security manager" and "Patch:
java.io.FilePermission.implies checks reversed").
--
Summary: Directory traversal vulnerability in FilePermission
check
Product: classpath
Version: 0.19
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: classpath
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: gbenson at redhat dot com
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24895
- [Bug classpath/24895] New: Directory traversal vulnerability in FilePermission check,
gbenson at redhat dot com <=