Usage of System.getProperty() vs. SystemProperties.getProperty()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>>>>> "Gary" == Gary Benson <gbenson@xxxxxxxxxx> writes:

>> The reason there is still a lot of code that uses System.getProperty()
>> is either historical (i.e. SystemProperties was introduced after
>> that code was written) or because the author was unaware of
>> SystemProperties.  We've not been as careful about this as we maybe
>> should be.

Gary> The Mauve tests I am writing should cover every method that's
Gary> documented as performing security tests on a property, so don't
Gary> worry about accidentally writing something insecure: I ought to
Gary> catch it in the next few weeks.

I think the issue here is what happens when some random piece of
Classpath is run in an environment with a security manager.  In this
case, the theory goes, we could get security failures where they ought
not occur.  So, we end up using SystemProperties and PrivilegedAction
all over the place...

IOW the security tests are testing that we properly call the security
manager in every place we're required to.  This is great and
definitely necessary.  But, it won't catch this failure mode, which is
that we're calling the security manager, and being rejected, when that
ought not to happen.

Honestly I still wonder whether this is really correct -- it just
seems too heavy.  But I have not investigated it in a real way, so I'm
just spouting off here.

Tom


[Index of Archives]     [Linux Kernel]     [Linux Cryptography]     [Fedora]     [Fedora Directory]     [Red Hat Development]

  Powered by Linux