[
https://issues.apache.org/jira/browse/COLLECTIONS-538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14259076#comment-14259076
]
Thomas Neidhart commented on COLLECTIONS-538:
---------------------------------------------
Ok, I will then mark it as to be fixed for 3.2.2 in case somebody is really
willing to make a new point release for the 3.x branch.
> ExtendedProperties causes AccessControlException when framework is called
> from a script
> ---------------------------------------------------------------------------------------
>
> Key: COLLECTIONS-538
> URL: https://issues.apache.org/jira/browse/COLLECTIONS-538
> Project: Commons Collections
> Issue Type: Bug
> Components: Collection
> Affects Versions: 3.2.1
> Environment: Java security manager enabled
> Reporter: Trejkaz
> Fix For: 3.2.2
>
>
> We're using Velocity 1.7, which depends upon Commons Collections 3.x series'
> ExtendedProperties class.
> ExtendedProperties has these constructors where it looks up the file
> separator using the least convenient means possible:
> {code}
> public ExtendedProperties() {
> this.fileSeparator = System.getProperty("file.separator");
> // ...
> }
> {code}
> For us, this is all being called from untrusted code, so this fails with
> AccessControlException.
> I think that instead of using the system property here, it is customary to
> use the File.separator constant.
> If you absolutely _must_ use System.getProperty() to fetch this value, it
> should at least be done from a doPrivileged() block.
> Also I had a quick check of Commons Collections 4 to see if this issue had
> been fixed, but couldn't immediately see what happened to this class. If it
> did turn out to have been fixed in v4, maybe Velocity could be encouraged to
> update to v4, but I haven't seen any updates from them in 4 years, so it's
> probably not a good sign.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
