Security related problems triggered by calling URL.inputStream() for an "ftp" URL

Project:JNode Core
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed
Description

I've run into a security problem while trying to use the 'cat' command to fetch a remote file. When I run "cat ftp://140.186.70.20/README" (that is ftp.gnu.org) I get a stack trace for a SecurityException, that says sun.misc.UnsafeHelper does not have the permission org.jnode.security.JNodeSecurityPermission "getVmClass".

I can work around this by adding the relevant permission to the plugin descriptor for org.jnode.fs.commands. The FTP now works, but the following message is now written to the console: "MagicPermission is not granted for the type: sun.misc.UnsafeHelper".

I'm pretty sure that this wasn't happening two or three days ago.

For the record, the problem is reproducible in the current head version in svn.

#1

Status:active» closed

I might be wrong but I suspect something due to the name of the class Unsafe* and a kind of conflict with *our* Unsafe class. if that's the case, then the sun's class need that magic permission.

anyway, I think lsantha could say much about that.

#2

That might be the second problem, but I don't think it is the first one. And certainly, my workaround is not the right thing to do!

#3

I think I'we fixed the exceptions related to this in the latest SVN trunk. Can you confirm it?

#4

That fixes the problem for me. Thanks.

#5

I am still seeing the warnings about MagicPermission though. They don't seem to be stopping anything from working, but it would be good if the root cause was addressed. (I'm assuming that they actually mean something ...)

#6