[jira] [Commented] (COLLECTIONS-538) ExtendedProperties causes AccessControlException when framework is called from a script

Sun, 14 Dec 2014 21:32:28 -0800 

    [ 
https://issues.apache.org/jira/browse/COLLECTIONS-538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14246334#comment-14246334
 ] 

Trejkaz commented on COLLECTIONS-538:
-------------------------------------

We use templates as something the user can customise. Users can therefore pass 
templates around to other users, and a particularly malicious user might find a 
way to have the template write to arbitrary files or something.

Velocity may not be lowering privileges when calling methods on template 
objects either. I don't know either way, but I figure it's better not to trust 
it unless someone shows that it's doing things safely.

If we called Velocity in a privileged block, we might be opening up the final 
link in that attack vector, so I'm not exactly keen, no.



> ExtendedProperties causes AccessControlException when framework is called 
> from a script
> ---------------------------------------------------------------------------------------
>
>                 Key: COLLECTIONS-538
>                 URL: https://issues.apache.org/jira/browse/COLLECTIONS-538
>             Project: Commons Collections
>          Issue Type: Bug
>          Components: Collection
>    Affects Versions: 3.2.1
>         Environment: Java security manager enabled
>            Reporter: Trejkaz
>
> We're using Velocity 1.7, which depends upon Commons Collections 3.x series' 
> ExtendedProperties class.
> ExtendedProperties has these constructors where it looks up the file 
> separator using the least convenient means possible:
> {code}
>     public ExtendedProperties() {
>         this.fileSeparator = System.getProperty("file.separator");
>         // ...
>     }
> {code}
> For us, this is all being called from untrusted code, so this fails with 
> AccessControlException.
> I think that instead of using the system property here, it is customary to 
> use the File.separator constant.
> If you absolutely _must_ use System.getProperty() to fetch this value, it 
> should at least be done from a doPrivileged() block.
> Also I had a quick check of Commons Collections 4 to see if this issue had 
> been fixed, but couldn't immediately see what happened to this class. If it 
> did turn out to have been fixed in v4, maybe Velocity could be encouraged to 
> update to v4, but I haven't seen any updates from them in 4 years, so it's 
> probably not a good sign.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to