You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Hoss Man (JIRA)" <ji...@apache.org> on 2014/08/23 00:22:11 UTC

[jira] [Commented] (LUCENE-5650) Enforce read-only access to any path outside the temporary folder via security manager

    [ https://issues.apache.org/jira/browse/LUCENE-5650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14107604#comment-14107604 ] 

Hoss Man commented on LUCENE-5650:
----------------------------------

Back in may [~dweiss] mentioned letting this soak on trunk a bit before backporting ... did it slip through the cracks?

FWIW: SOLR-6410 popped up on 4x but was already fixed on trunk as part of this issue, i'm going to backport just the key elements of this issue that related to that bug to 4x under the banner of SOLR-6410 in order to backport to branch_4_10 as well.

> Enforce read-only access to any path outside the temporary folder via security manager
> --------------------------------------------------------------------------------------
>
>                 Key: LUCENE-5650
>                 URL: https://issues.apache.org/jira/browse/LUCENE-5650
>             Project: Lucene - Core
>          Issue Type: Improvement
>          Components: general/test
>            Reporter: Ryan Ernst
>            Assignee: Dawid Weiss
>            Priority: Minor
>             Fix For: 4.9, 5.0
>
>         Attachments: LUCENE-5650.patch, LUCENE-5650.patch, LUCENE-5650.patch, LUCENE-5650.patch, dih.patch
>
>
> The recent refactoring to all the create temp file/dir functions (which is great!) has a minor regression from what existed before.  With the old {{LuceneTestCase.TEMP_DIR}}, the directory was created if it did not exist.  So, if you set {{java.io.tmpdir}} to {{"./temp"}}, then it would create that dir within the per jvm working dir.  However, {{getBaseTempDirForClass()}} now does asserts that check the dir exists, is a dir, and is writeable.
> Lucene uses {{"."}} as {{java.io.tmpdir}}.  Then in the test security manager, the per jvm cwd has read/write/execute permissions.  However, this allows tests to write to their cwd, which I'm trying to protect against (by setting cwd to read/execute in my test security manager).



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org