libgcjwebplugin.so security README

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Jakub,
Mark Cox asked me to write a README about the security risks of using gcjwebplugin, for inclusion in the libgcj RPM. Can you include this in Rawhide gcc's doc directory?
I also realized that gappletviewer wasn't warning people that it runs without a security manager, so I wrote a patch that issues a warning on startup and asks the user if they want to continue. Can it be applied to the Rawhide gcc rpm?
Tom, if we do go with the separate libgcj rpm, these will need to be applied there. 

Tom

Attachment: README.libgcjwebplugin.so
Description: Binary data

Index: tools/gnu/classpath/tools/appletviewer/Main.java
===================================================================
RCS file: /sources/classpath/classpath/tools/gnu/classpath/tools/appletviewer/Main.java,v
retrieving revision 1.4
diff -u -r1.4 Main.java
--- tools/gnu/classpath/tools/appletviewer/Main.java	11 May 2006 08:33:05 -0000	1.4
+++ tools/gnu/classpath/tools/appletviewer/Main.java	8 Sep 2006 18:20:32 -0000
@@ -44,10 +44,12 @@
 import gnu.classpath.tools.getopt.Parser;
 import java.applet.Applet;
 import java.awt.Dimension;
+import java.io.BufferedReader;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.net.URL;
 import java.util.ArrayList;
@@ -249,6 +251,7 @@
 
     if (pluginMode)
       {
+        // Plugin will warn user about missing security manager.
 	InputStream in;
 	OutputStream out;
 
@@ -259,6 +262,33 @@
       }
     else
       {
+        // Warn user about missing security manager.
+        System.err.println("WARNING: CURRENTLY GAPPLETVIEWER RUNS WITH NO SECURITY MANAGER.\n\n"
+                           + "THIS MEANS THAT APPLETS YOU LOAD CAN DO ANYTHING A JAVA APPLICATION\n"
+                           + "THAT YOU DOWNLOAD AND RUN CAN DO.  BE *VERY* CAREFUL WHICH APPLETS YOU RUN.\n"
+                           + "DO NOT USE GAPPLETVIEWER ON YOUR SYSTEM IF YOUR SYSTEM STORES IMPORTANT DATA.\n"
+                           + "THIS DATA CAN BE DESTROYED OR STOLEN IF YOU LOAD A MALICIOUS APPLET.\n");
+
+        System.err.println("[press 'c' or 'C' to continue or anything else to quit]");
+
+        BufferedReader stdin = new BufferedReader(new InputStreamReader(System.in));
+        String response = null;
+
+        try
+          {
+            response = stdin.readLine();
+          }
+        catch (IOException e)
+          {
+            System.err.println("failed to read response to warning message: " + e);
+            System.exit(1);
+          }
+
+        if (!(response.equals("c") || response.equals("C")))
+          {
+            System.exit(0);
+          }
+
         if (code == null)
           {
             // The --code option wasn't given and there are no URL

--
fedora-devel-java-list mailing list
fedora-devel-java-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-java-list
[Index of Archives]     [Red Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux