I am ok with doing option a.
A couple of things you should know...
There is unprivileged access to the following properties in other areas
of TopLink. Oracle AS solves this issue by granting permission to it's
applications to access those properties.
- line.separator
- java.version
- user.dir
- file.separator
- path.separator
- java.io.tmpdir
-Tom
Marina Vatkina wrote:
>Hi Tom,
>
>Do you expect the fix for this issue by a) adding a doPrivileged block around
>System.getProperties() or b) by adding a new class and corresponding methods
>in TopLink oracle/toplink/essentials/internal/security package?
>
>It's easy to do a), but I have a problem with option b) - it allows unauthorized
>access to a malicious code: the jars under GF have all permissions, plus a
>public method with doPrivileged block will block further security access
>validation.
>
>Do you see a problem if I do a) and file a separate bug for b)?
>
>thanks,
>-marina
>
>
>
--
Tom Ware
Principal Software Engineer
Oracle Canada Inc.
Direct: (613) 783-4598
Email: tom.ware_at_oracle.com