[jira] Updated: (JDO-544) NullPointerException in JDOImplHelper if running with security manager enabled

Wed, 10 Oct 2007 11:39:55 -0700 

     [ 
https://issues.apache.org/jira/browse/JDO-544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Craig Russell updated JDO-544:
------------------------------

    Attachment: jdo-544.patch

This updated patch fixes a security hole introduced by the previous patch. The 
registerDateFormat method should not be static, as this would bypass the 
security check in getInstance.


> NullPointerException in JDOImplHelper if running with security manager enabled
> ------------------------------------------------------------------------------
>
>                 Key: JDO-544
>                 URL: https://issues.apache.org/jira/browse/JDO-544
>             Project: JDO
>          Issue Type: Bug
>          Components: api2
>            Reporter: Erik Bengtson
>            Assignee: Craig Russell
>            Priority: Minor
>         Attachments: jdo-544.patch
>
>
> --- Craig says:
> Hi Erik,
> Actually, this is a bug in JDOImplHelper. It is missing a  
> doPrivileged around calling getDateTimeInstance.
> The permissions you mention should be assigned to the JDO jar, if  
> needed at all. We need to look at the implementation here and decide  
> if getDateTimeInstance is really needed or if there is some other way  
> to get this functionality.
> Can you please file a JIRA?
> Thanks,
> Craig
> On Oct 8, 2007, at 1:25 PM, Erik Bengtson wrote:
> > An application using JDO needs the following additional permissions  
> > to run:
> >
> >     permission java.util.PropertyPermission "user.country", "read";
> >     permission java.util.PropertyPermission "user.timezone",
> > "read,write";
> >     permission java.util.PropertyPermission "java.home", "read";
> >
> > Otherwise:
> >
> > Caused by: java.lang.NullPointerException
> >     at java.security.AccessControlContext.checkPermission(Unknown
> > Source)
> >     at java.security.AccessController.checkPermission(Unknown Source)
> >     at java.lang.SecurityManager.checkPermission(Unknown Source)
> >     at java.util.TimeZone.hasPermission(Unknown Source)
> >     at java.util.TimeZone.setDefaultZone(Unknown Source)
> >     at java.util.TimeZone.getDefaultRef(Unknown Source)
> >     at java.util.TimeZone.getDefault(Unknown Source)
> >     at java.text.SimpleDateFormat.initializeCalendar(Unknown Source)
> >     at java.text.SimpleDateFormat.<init>(Unknown Source)
> >     at java.text.DateFormat.get(Unknown Source)
> >     at java.text.DateFormat.getDateTimeInstance(Unknown Source)
> >     at javax.jdo.spi.JDOImplHelper.<clinit>(JDOImplHelper.java:123)
> >     ... 22 more
> >
> >
> > Is that interesting to note in the JDO SPEC?
> >
> >
> >

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to