Re: [cp-patches] FYI: Disallow unsecure copy/paste exchange

[Meskauskas Audrius]

Maybe yes.  The recent insecure approach comes from the historcal past.

Mark Wielaard wrote:

> Hi,
>
> After the last discussion about TransferHandler and security issues it
> seemed safer to me to just disallow any copy/paste between untrusted
> code paths as was suggested earlier.
>
> 2005-12-04  Mark Wielaard  <address@hidden>
>
>        * javax/swing/TransferHandler
>        (TransferAction.actionPerformed): Beep and return when clipboard
>        is null.
>        (getClipboard): Return null when access denied.
>        (clipboard): Removed static field.
>
> Committed,
>
> Mark
>  
>
> ------------------------------------------------------------------------
>
> Index: javax/swing/TransferHandler.java
> ===================================================================
> RCS file: /cvsroot/classpath/classpath/javax/swing/TransferHandler.java,v
> retrieving revision 1.12
> diff -u -r1.12 TransferHandler.java
> --- javax/swing/TransferHandler.java    22 Nov 2005 16:07:57 -0000      1.12
> +++ javax/swing/TransferHandler.java    4 Dec 2005 19:50:34 -0000
> @@ -1,5 +1,5 @@
> /* TransferHandler.java --
> -   Copyright (C) 2004 Free Software Foundation, Inc.
> +   Copyright (C) 2004, 2005 Free Software Foundation, Inc.
>
> This file is part of GNU Classpath.
>
> @@ -43,6 +43,7 @@
> import java.awt.datatransfer.Transferable;
> import java.awt.event.ActionEvent;
> import java.awt.event.InputEvent;
> +import java.awt.Toolkit;
> import java.io.Serializable;
>
> public class TransferHandler implements Serializable
> @@ -62,6 +63,13 @@
>       TransferHandler transferHandler = component.getTransferHandler();
>       Clipboard clipboard = getClipboard(component);
>
> +      if (clipboard == null)
> +       {
> +         // Access denied!
> +         Toolkit.getDefaultToolkit().beep();
> +         return;
> +       }
> +
>       if (command.equals(COMMAND_COPY))
>         transferHandler.exportToClipboard(component, clipboard, COPY);
>       else if (command.equals(COMMAND_CUT))
> @@ -76,8 +84,8 @@
>     }
>   
>     /**
> -     * Get the system cliboard. If not available, create and return the 
> VM-local
> -     * clipboard.
> +     * Get the system cliboard or null if the caller isn't allowed to
> +     * access the system clipboard.
>      * 
>      * @param component a component, used to get the toolkit.
>      * @return the clipboard
> @@ -85,22 +93,13 @@
>     private static Clipboard getClipboard(JComponent component)
>     {
>       try
> -        {
> -          SecurityManager sm = System.getSecurityManager();
> -          if (sm != null)
> -            sm.checkSystemClipboardAccess();
> -
> -          // We may access the system clipboard.
> -          return component.getToolkit().getSystemClipboard();
> -        }
> -      catch (Exception e)
> -        {
> -          // We may not access system clipboard.
> -          // Create VM-local clipboard if none exists yet.
> -          if (clipboard == null)
> -            clipboard = new Clipboard("Clipboard");
> -          return clipboard;
> -        }
> +       {
> +         return component.getToolkit().getSystemClipboard();
> +       }
> +      catch (SecurityException se)
> +       {
> +         return null;
> +       }
>     }
>   }
>   
> @@ -118,12 +117,6 @@
>   private static Action copyAction = new TransferAction(COMMAND_COPY);
>   private static Action cutAction = new TransferAction(COMMAND_CUT);
>   private static Action pasteAction = new TransferAction(COMMAND_PASTE);
> -  
> -  /**
> -   * Clipboard if system clipboard may not be used.
> -   * Package-private to avoid an accessor method.
> -   */
> -  static Clipboard clipboard;
>   
>   private int sourceActions;
>   private Icon visualRepresentation;
>  
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Classpath-patches mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/classpath-patches
>