[rfc][icedtea-web] DeploymentPropertiesAreExposed reproducer fix

Omair Majid omajid at redhat.com
Fri Sep 13 13:13:56 PDT 2013

Hi Andrew,

On 09/13/2013 04:06 PM, Andrew Azores wrote:
> --- a/netx/net/sourceforge/jnlp/config/Defaults.java
> +++ b/netx/net/sourceforge/jnlp/config/Defaults.java

> -    final static String USER_CONFIG_HOME;
> +    public final static String USER_CONFIG_HOME;
>      public final static String USER_CACHE_HOME;

One not-immediately-obvious consequence of making these variables public
is that a random untrusted program might be able to look at them and
guess the value of System.getProperty("user.home"). That would be
leaking information and a security hole.

Thankfully, icedtea-web does disallow access to net.sourceforge.jnlp.**
packages so accessing the Defaults class should not be possible in
general. But I am still going to strongly encourage you to not expose


PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95  0056 F286 F14F 6648 4681

More information about the distro-pkg-dev mailing list