...
A comprehensive way of handling this issue is to grant the application the permissions to operate only on files present within the intended directory — the user's home directory in this example. This compliant solution specifies the absolute path of the program in its security policy file and grants java.io.FilePermission with target /${user.home}/me* and actions read and write.
| Code Block | ||
|---|---|---|
| ||
grant codeBase "file:/home/programpath/" {
permission java.io.FilePermission "${user.home}/*", "read, write";
};
|
...
FIO02-C. Canonicalize path names originating from untrusted sources | ||||
FIO02-CPP. Canonicalize path names originating from untrusted sources | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2586dd94efa3651a-8d1d9644-47ea4834-8e168b7c-3691d67aa839cc8fbd9dfe89"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | Path Traversal [EWR] | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-171. Cleansing, canonicalization, and comparison errors | ||||
| CWE-647. Use of non-canonical URL paths for authorization decisions |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="675657bf0749b02b-13ee4e1d-427c4789-83cb827c-f71a739743c9d28f51aef49b"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [method getCanonicalPath() | http://java.sun.com/javase/6/docs/api/java/io/File.html#getCanonicalPath()] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d28b0e0789d8b693-99bc5de4-4ce04a73-a62fab40-2bbe37e488f8d443b2b7a0ee"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. Bibliography#Harold 99]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...