On 9/8/18 11:42 AM, Wang Weijun wrote:
Thinking about this again. Looks like the absolute path is not necessary. Even
if there are multiple files using the same name, they will be in different
directories, no matter absolute or relative. Suppose the jarPath info is used
for debugging purpose mostly like the developer can find out what the current
working directory is and can find the files. *Matthias*: Is the absolute path
really necessary? Are you working on actual case?
As for the possible global effect of a security property, maybe we can emphasis
that this is both a security property and system property, and if it’s just for
one time use, it’s better to use a system property.
BTW, does the existing value “hostInfo” of the property have a similar problem?
No. In that case, the sensitive data (IP address) is provided by the
caller, so there is no leakage of sensitive data from trusted code that
it is calling.
--Sean
