91 /** |
91 /** |
92 * Convenience method to get a property without going through doPrivileged |
92 * Convenience method to get a property without going through doPrivileged |
93 * if no security manager is present. This is unsafe for inclusion in a |
93 * if no security manager is present. This is unsafe for inclusion in a |
94 * public API but allowable here since this class is now encapsulated. |
94 * public API but allowable here since this class is now encapsulated. |
95 * |
95 * |
|
96 * Note that this method performs a privileged action using caller-provided |
|
97 * inputs. The caller of this method should take care to ensure that the |
|
98 * inputs are not tainted and the returned property is not made accessible |
|
99 * to untrusted code if it contains sensitive information. |
|
100 * |
96 * @param theProp the name of the system property. |
101 * @param theProp the name of the system property. |
97 */ |
102 */ |
98 public static String getProperty(String theProp) { |
103 public static String privilegedGetProperty(String theProp) { |
99 if (System.getSecurityManager() == null) { |
104 if (System.getSecurityManager() == null) { |
100 return System.getProperty(theProp); |
105 return System.getProperty(theProp); |
101 } else { |
106 } else { |
102 return AccessController.doPrivileged( |
107 return AccessController.doPrivileged( |
103 new GetPropertyAction(theProp)); |
108 new GetPropertyAction(theProp)); |
107 /** |
112 /** |
108 * Convenience method to get a property without going through doPrivileged |
113 * Convenience method to get a property without going through doPrivileged |
109 * if no security manager is present. This is unsafe for inclusion in a |
114 * if no security manager is present. This is unsafe for inclusion in a |
110 * public API but allowable here since this class is now encapsulated. |
115 * public API but allowable here since this class is now encapsulated. |
111 * |
116 * |
|
117 * Note that this method performs a privileged action using caller-provided |
|
118 * inputs. The caller of this method should take care to ensure that the |
|
119 * inputs are not tainted and the returned property is not made accessible |
|
120 * to untrusted code if it contains sensitive information. |
|
121 * |
112 * @param theProp the name of the system property. |
122 * @param theProp the name of the system property. |
113 * @param defaultVal the default value. |
123 * @param defaultVal the default value. |
114 */ |
124 */ |
115 public static String getProperty(String theProp, String defaultVal) { |
125 public static String privilegedGetProperty(String theProp, |
|
126 String defaultVal) { |
116 if (System.getSecurityManager() == null) { |
127 if (System.getSecurityManager() == null) { |
117 return System.getProperty(theProp, defaultVal); |
128 return System.getProperty(theProp, defaultVal); |
118 } else { |
129 } else { |
119 return AccessController.doPrivileged( |
130 return AccessController.doPrivileged( |
120 new GetPropertyAction(theProp, defaultVal)); |
131 new GetPropertyAction(theProp, defaultVal)); |
124 /** |
135 /** |
125 * Convenience method to call <code>System.getProperties</code> without |
136 * Convenience method to call <code>System.getProperties</code> without |
126 * having to go through doPrivileged if no security manager is present. |
137 * having to go through doPrivileged if no security manager is present. |
127 * This is unsafe for inclusion in a public API but allowable here since |
138 * This is unsafe for inclusion in a public API but allowable here since |
128 * this class is now encapsulated. |
139 * this class is now encapsulated. |
|
140 * |
|
141 * Note that this method performs a privileged action, and callers of |
|
142 * this method should take care to ensure that the returned properties |
|
143 * are not made accessible to untrusted code since it may contain |
|
144 * sensitive information. |
129 */ |
145 */ |
130 public static Properties getProperties() { |
146 public static Properties privilegedGetProperties() { |
131 if (System.getSecurityManager() == null) { |
147 if (System.getSecurityManager() == null) { |
132 return System.getProperties(); |
148 return System.getProperties(); |
133 } else { |
149 } else { |
134 return AccessController.doPrivileged( |
150 return AccessController.doPrivileged( |
135 new PrivilegedAction<Properties>() { |
151 new PrivilegedAction<Properties>() { |