[E-Lang] Announcing stl-E 0.8.9k: An interim non-distributed release

Chip Morningstar chip@groucho.communities.com
Tue, 2 Jan 2001 15:45:39 -0800 (PST)

Alan Karp wrote:
> Does that mean you can make a Java class access the file system by passing
> it a bad argument even if there's no file access code in the class?

It depends on whether you mean file access code per se or merely code which
ultimately leads to file access. For example, one of the Java security problems
that the Princeton folks found was a case in which font names where ultimately
used in the construction of filenames (in order to obtain a font's descriptive
data).  By correctly providing a suitably mangled font name, a user could trick
the font code into accessing all kinds of files that it shouldn't have (a
classic Confused Deputy bug).

A piece of GUI code might not realize it is refering to a file when it hands
around a string that it believes is merely a font name. Somebody inspecting
that code for file accesses might not realize it either.

  Chip Morningstar                                         Communities.com
  chip@communities.com             10101 N.DeAnza Blvd, Cupertino CA 95014
  http://www.communities.com                                  408-342-9522

	      "It's now safe to turn off your computer."