On Mon, Nov 9, 2009 at 16:34, Martin Buchholz <marti...@google.com> wrote:
> (In response to Joe, who once asked me for little things to add
> to the core libraries)
>
> Lots of classes need to use System.getProperty("line.separator").
> Many don't do it right because you need to use
> a doPrivileged block whenever you read a system property.
> Yet it is no secret - you can divine the line separator
> even if you have no trust with the security manager.
Let me clarify somewhat.
The default Policy
defined in src/share/lib/security/java.policy
allows you to access standard system properties
such as line.separator, but...
$ cat Println.java && java Println
import java.security.*;
public class Println {
public static void main(String[] args) {
Policy.setPolicy(new java.security.Policy() {
public boolean implies(ProtectionDomain pd, Permission p) {
return false;
}});
System.setSecurityManager(new SecurityManager());
System.out.printf("%n");
String.format("%n");
}
}
==> javac -source 1.6 -Xlint:all Println.java
==> java -esa -ea Println
Exception in thread "main" java.security.AccessControlException:
access denied (java.util.PropertyPermission line.separator read)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:342)
at
java.security.AccessController.checkPermission(AccessController.java:553)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1302)
at java.lang.System.getProperty(System.java:669)
at java.util.Formatter$FormatSpecifier.print(Formatter.java:2700)
at java.util.Formatter.format(Formatter.java:2437)
at java.io.PrintStream.format(PrintStream.java:937)
at java.io.PrintStream.printf(PrintStream.java:838)
at Println.main(Println.java:10)
---
Also, File.java only makes available the first char of the system properties
(ensuring that Java will never work on platforms where
file.separator is more than one character,
or is a supplementary character?
Martin
