Wednesday May 13, 2009

Please remove the unsafe dependence on Permission.toString()

Recently, we made a correction on the implement of java.security.Permission.toString(). The specification says, "Returns a string describing this Permission. The convention is to specify the class name, the permission name, and the actions in the following format: '("ClassName" "name" "actions")'."[1] That is, the specification requires all components, ClassName, name, and actions, to be enclosed in double quotes, but JDK implementation of this method ignores this requirement, which returns string without double quotes. It seems that double quotes make sense, to differentiate between permissions of the same class with name "permit to write" and empty actions and another permission with name "permit to" and actions "write". A bug reported agasint the issue[2], and the bug was fixed recently[3].

But shortly after, I received many queries that the update break some test cases. In those test cases, the Permission.toString() is used to check against a hard coded string, which is expected no double qotes, for example,

    try {
    } catch (AccessControlException ace) {
        if (ace.getPermission().toString().indexOf("FilePermission filename read") < 0) {
            // run the codes that the exception is not a FilePermission/filename/read.
        } else {
            // run the codes that the exception is a FilePermission/filename/read.
        }
    }

The above codes' behaviors will diff with the bug fix[3], because now the the Permission.toString is expected as '"FilePermission" "filename" "read"', instead of 'FilePermission filename read".

For those application that depends on the Permission.toString() like above, I would suggest update those codes with Permission.getClass().getName(), Permissin.getName(), and Permission.getActions() accordingly. The above codes would look like:

    try {
    } catch (AccessControlException ace) {
        Permission perm = ace.getPermission();
        if (perm.getClass().getName().equals("FilePermission") && perm.getName().equals("filename") && perm.getActions("read")) {
            // run the codes that the exception is not a FilePermission/filename/read.
        } else {
            // run the codes that the exception is a FilePermission/filename/read.
        }
    }

The above code is much safer the using the Permission.toString(). For the issue, I only get reports on test cases, no reports to me on practical appliaction by now. But in case your application have similar usage as the above hard coded example, please DO remove the dependence for your application on JDK 7.

[1]: http://java.sun.com/javase/6/docs/api/java/security/Permission.html#toString()
[2]: http://bugs.sun.com/view_bug.do?bug_id=6549506
[3]: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/b656e842e1be

 

About

A blog on security and networking

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today