[Bug classpath/42390] Missing Security Manager checks in classpath apis

[gnu_andrew at member dot fsf.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=42390

Andrew John Hughes <gnu_andrew at member dot fsf.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2010.11.22 01:10:35
                 CC|                            |gnu_andrew at member dot
                   |                            |fsf.org
     Ever Confirmed|0                           |1

--- Comment #2 from Andrew John Hughes <gnu_andrew at member dot fsf.org> 
2010-11-22 01:10:35 UTC ---
I can confirm 1, 2 and 3 are missing.

4 is an odd one.  Via a Mauve test, I've confirmed that OpenJDK does perform
the
security check but Classpath doesn't.  However, the official
documentation for toString() says nothing about the security exception
in this case.  Examining the Classpath code, it seems an entry point was
specifically adding to the Policy class to allow PermissionDomain to
obtain the policy without the security check.  So the fix is
simple, but documentation upstream also needs to be fixed IMHO.

5 & 6 are similar.  I haven't yet had time to check OpenJDK with these
two, but I can see that the required calls are missing from the
Classpath code.  Again, the security checks aren't documented at all
for Socket and DatagramSocket; it just says
'"SecurityException - if the caller is not allowed to send datagrams
to and receive datagrams from the address and port."
without specifying the actual checks.

The two inconsistencies, 7 & 8, seem to be a case of
System.getProperty being used directly, whereas internal code should
use gnu.classpath.SystemProperties directly.  I'll fix these in GNU Classpath
once I've confirmed the last four on OpenJDK.