I don't understand. If I can modify java.home, it means I can control
any properties the VM comes up with, right? Isn't java.home set on vm
start and immutable?
geir
Tim Ellison wrote:
Alexey Varlamov wrote:
Boris, for the security-sensitive applications, there is appropriate
guard in place:
public SecurityManager() {
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkPermission(RuntimePermission.permissionToCreateSecurityManager);
}
Class<?> type = Security.class; // initialize Security properties
if (type == null) {
throw new AssertionError();
}
}
I believe this is enough. In fact if the code has enough privileges to
modify such principal system properties, there might be even more
severe problems...
I agree.
Regards,
Tim
