← Back to team overview

openjdk team mailing list archive

  1. openjdk team
  2. Mailing list archive
  3. Message #03919

[Bug 596688] [NEW] code from privileged sources executed with restricted permissions

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When executing a Java applet or calling Java directly from Firefox
chrome:// code (e.g., Firefox extensions), the code should be granted
AllPermissions. Given that chrome:// code has shell execution
privileges, this is not a security hole. Permissions are handled
properly by the Sun NPRuntime Java plug-in, and were handled mostly
properly by the old OJI/LiveConnect plug-in.

Running the following from a Firefox overlay:

new
java.net.URLClassLoader(java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.net.URL"),
0));

produces the following error in icedtea6-plugin-6b18-1.8-0ubuntu1

java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
	at sun.applet.PluginAppletSecurityContext$6.run(PluginAppletSecurityContext.java:1050)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.applet.PluginAppletSecurityContext.handleMessage(PluginAppletSecurityContext.java:1047)
	at sun.applet.AppletSecurityContextManager.handleMessage(AppletSecurityContextManager.java:69)
	at sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:273)
	at sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:342)
	at java.security.AccessController.checkPermission(AccessController.java:553)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:282)
	at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611)
	at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:194)
	at java.lang.ClassLoader.<init>(ClassLoader.java:243)
	at java.security.SecureClassLoader.<init>(SecureClassLoader.java:94)
	at java.net.URLClassLoader.<init>(URLClassLoader.java:130)
	... 10 more
Error on Java side: LiveConnectPermissionNeeded access denied (java.lang.RuntimePermission createClassLoader)

This same code executes without a hitch in the sun-java6-plugin-6.20dlj-
1ubuntu3. This is currently preventing the Zotero OpenOffice plug-in
from working on a default Ubuntu installation.

** Affects: openjdk-6 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
code from privileged sources executed with restricted permissions
https://bugs.launchpad.net/bugs/596688
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.

Status in “openjdk-6” package in Ubuntu: New

Bug description:
When executing a Java applet or calling Java directly from Firefox chrome:// code (e.g., Firefox extensions), the code should be granted AllPermissions. Given that chrome:// code has shell execution privileges, this is not a security hole. Permissions are handled properly by the Sun NPRuntime Java plug-in, and were handled mostly properly by the old OJI/LiveConnect plug-in.

Running the following from a Firefox overlay:

new java.net.URLClassLoader(java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.net.URL"), 0));

produces the following error in icedtea6-plugin-6b18-1.8-0ubuntu1

java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
	at sun.applet.PluginAppletSecurityContext$6.run(PluginAppletSecurityContext.java:1050)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.applet.PluginAppletSecurityContext.handleMessage(PluginAppletSecurityContext.java:1047)
	at sun.applet.AppletSecurityContextManager.handleMessage(AppletSecurityContextManager.java:69)
	at sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:273)
	at sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:342)
	at java.security.AccessController.checkPermission(AccessController.java:553)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:282)
	at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611)
	at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:194)
	at java.lang.ClassLoader.<init>(ClassLoader.java:243)
	at java.security.SecureClassLoader.<init>(SecureClassLoader.java:94)
	at java.net.URLClassLoader.<init>(URLClassLoader.java:130)
	... 10 more
Error on Java side: LiveConnectPermissionNeeded access denied (java.lang.RuntimePermission createClassLoader)

This same code executes without a hitch in the sun-java6-plugin-6.20dlj-1ubuntu3. This is currently preventing the Zotero OpenOffice plug-in from working on a default Ubuntu installation.

Follow ups

References

  Thread PreviousDate PreviousThread Next