* FYI: InetAddress security fixes
@ 2006-09-01 10:09 Gary Benson
0 siblings, 0 replies; only message in thread
From: Gary Benson @ 2006-09-01 10:09 UTC (permalink / raw)
To: java-patches
[-- Attachment #1: Type: text/plain, Size: 146 bytes --]
Hi all,
This commit stops InetAddress.getByName() and getAllByName()
performing security checks when DNS lookups are not required.
Cheers,
Gary
[-- Attachment #2: patch --]
[-- Type: text/plain, Size: 2389 bytes --]
Index: ChangeLog
===================================================================
--- ChangeLog (revision 116620)
+++ ChangeLog (working copy)
@@ -1,3 +1,8 @@
+2006-09-01 Gary Benson <gbenson@redhat.com>
+
+ * java/net/InetAddress.java (getByName, getAllByName):
+ Only perform security check when DNS lookups are required.
+
2006-08-31 Keith Seitz <keiths@redhat.com>
* include/jvmti_md.h: New file.
Index: java/net/InetAddress.java
===================================================================
--- java/net/InetAddress.java (revision 116620)
+++ java/net/InetAddress.java (working copy)
@@ -592,14 +592,10 @@
throws UnknownHostException
{
// If null or the empty string is supplied, the loopback address
- // is returned. Note that this is permitted without a security check.
+ // is returned.
if (hostname == null || hostname.length() == 0)
return loopback;
- SecurityManager s = System.getSecurityManager();
- if (s != null)
- s.checkConnect(hostname, -1);
-
// Assume that the host string is an IP address
byte[] address = aton(hostname);
if (address != null)
@@ -623,6 +619,11 @@
throw new UnknownHostException ("Address has invalid length");
}
+ // Perform security check before resolving
+ SecurityManager s = System.getSecurityManager();
+ if (s != null)
+ s.checkConnect(hostname, -1);
+
// Try to resolve the host by DNS
InetAddress result = new InetAddress(null, null);
lookup (hostname, result, false);
@@ -650,14 +651,10 @@
throws UnknownHostException
{
// If null or the empty string is supplied, the loopback address
- // is returned. Note that this is permitted without a security check.
+ // is returned.
if (hostname == null || hostname.length() == 0)
return new InetAddress[] {loopback};
- SecurityManager s = System.getSecurityManager();
- if (s != null)
- s.checkConnect(hostname, -1);
-
// Check if hostname is an IP address
byte[] address = aton (hostname);
if (address != null)
@@ -667,6 +664,11 @@
return result;
}
+ // Perform security check before resolving
+ SecurityManager s = System.getSecurityManager();
+ if (s != null)
+ s.checkConnect(hostname, -1);
+
// Try to resolve the hostname by DNS
return lookup (hostname, null, true);
}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2006-09-01 10:09 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-09-01 10:09 FYI: InetAddress security fixes Gary Benson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).