Issue1185

classification
Title: SecurityException loading classes with __classpath__ in the classpath
Type: security Severity: normal
Components: Core Versions: 2.2.2
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: ecapachedev, pjenvey
Priority: normal Keywords:

Created on 2008-11-26.23:11:23 by ecapachedev, last changed 2009-06-21.21:54:20 by pjenvey.

Files
File name Uploaded Description Edit Remove
imp.java ecapachedev, 2008-11-26.23:11:22 Modified imp.java file (from 2.2.1)
SyspathJavaLoader.java ecapachedev, 2008-11-26.23:11:52 Modified SyspathJavaLoader.java file (from 2.2.1)
Messages
msg3855 (view) Author: (ecapachedev) Date: 2008-11-26.23:11:19
When using Jython in a container with security enabled, the
"__classpath__" classpath causes a SecurityException unless there is a
FilePermission grant to "__classpath__/-".  Since the injection of
"__classpath__" to the classpath is sort of a hack to get the
JavaImporter to be used, it would seem there should be code to ignore
the use of the path when loading classes.  In particular, the two places
I noticed an issue are:

1) org.python.core.imp.loadFromSource(String, String, PyObject)
   A check for dir.isDirectory() will cause the SecurityException.  As a
potential workaround, first check for
directoryName.equals("__classpath__") and if true, return null.

2) org.python.core.SyspathJavaLoader.loadClass(String, boolean)
   A call to file.length() will cause the SecurityException.  As a
potential workaround, first check for !dir.equals("__classpath__")
before proceeding to create the File and read from it.
msg4836 (view) Author: Philip Jenvey (pjenvey) Date: 2009-06-21.21:54:20
handling SecurityExceptions for these two places (and many more) were 
added in r6252 (for #1188)
History
Date User Action Args
2009-06-21 21:54:20pjenveysetstatus: open -> closed
resolution: fixed
messages: + msg4836
nosy: + pjenvey
2009-03-14 02:35:54fwierzbickisetpriority: normal
2008-11-26 23:26:46ecapachedevsettitle: SecurityException with __classpath__ in the classpath -> SecurityException loading classes with __classpath__ in the classpath
2008-11-26 23:11:52ecapachedevsetfiles: + SyspathJavaLoader.java
2008-11-26 23:11:23ecapachedevcreate