On 04/06/2018 20:59, Roger Riggs wrote:
:
Are the changes to SocksSocketImpl correct? I may have missed
something but the original called System.getProperty("user.dir") in a
privileged block so I'm wondering if getUserNameChecked is needed.
The existing code in SocksSocketImpl is inconsistent with respect to
access to user.name; some flows
use doPriv to access the property and others did not. If someone
familiar with the Socks networking function
can recommend the proper access, it can be revised. The intent was to
have the same security checks
as before.
The original code at L181 is using
GetPropertyAction.privilegedGetProperty so it looks like it reads the
value of the property in a privileged block. The replacement code is
doing an explicit permission check. If I read the original code
correctly then it should only be doing a permission check for the proxy
case. So I think it needs to be checked, another set of eyes would be
useful.
-Alan
