Permission Analysis Report


Analysis of: org.eclipse.core.runtime

Detail





Class: org.eclipse.core.internal.boot.PlatformURLBaseConnection (Application)
DoPrivileged location: Line# 46 java.net.URL resolve(  )
   Permission: java.lang.RuntimePermission "getClassLoader"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: java.lang.RuntimePermission "modifyThread"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: java.net.NetPermission "specifyStreamHandler"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: java.net.SocketPermission "???host???", "resolve"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: java.net.SocketPermission "???host???:???port???", "connect"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: java.net.SocketPermission "localhost", "resolve"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: java.net.SocketPermission "localhost:1024-", "resolve"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: java.net.SocketPermission "localhost:1024-:???port???", "connect"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: java.net.SocketPermission "localhost:???port???", "connect"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: java.util.PropertyPermission "java.protocol.handler.pkgs", "read"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: org.osgi.framework.ServicePermission "", ""
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: org.osgi.framework.ServicePermission "", "get"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: org.osgi.framework.ServicePermission "java.net.ContentHandler", ""
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: org.osgi.framework.ServicePermission "java.net.ContentHandler", "get"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: org.osgi.framework.ServicePermission "org.osgi.service.url.URLStreamHandlerService", ""
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )
   Permission: org.osgi.framework.ServicePermission "org.osgi.service.url.URLStreamHandlerService", "get"
      Primordial/void java.net.URL.URL( java.net.URL, java.lang.String )


CODE

protected URL resolve() throws IOException {
		String spec = url.getFile().trim();
		if (spec.startsWith("/")) //$NON-NLS-1$
			spec = spec.substring(1);
		if (!spec.startsWith(PLATFORM + "/")) { //$NON-NLS-1$
			String message = NLS.bind(Messages.url_badVariant, url);
			throw new IOException(message);
		}
		return spec.length() == PLATFORM.length() + 1 ? installURL : new URL(installURL, spec.substring(PLATFORM.length() + 1));
	}


Tainted variable reference trace:


Permission Requirements:




Conclusion:

A typical URL construction.  It is ok to wrap it in a doPrivilged action.

Grant the above permissions to this plug-in via OSGI-INF/permissions.perm file.

Change the above method as the following:

	protected URL resolve() throws IOException {
		URL rtvValue = null;
		String spec = url.getFile().trim();
		if (spec.startsWith("/")) //$NON-NLS-1$
			spec = spec.substring(1);
		if (!spec.startsWith(PLATFORM + "/")) { //$NON-NLS-1$
			String message = NLS.bind(Messages.url_badVariant, url);
			throw new IOException(message);
		}
		
		if(spec.length() == PLATFORM.length() + 1) {
			rtvValue = installURL;
		} else {
			if(System.getSecurityManager() == null) {
				rtvValue = new URL(installURL, spec.substring(PLATFORM.length() + 1));
			} else {
				try {
					rtvValue = (URL) AccessController.doPrivileged(new SecureURL(installURL, spec.substring(PLATFORM.length() + 1)));
				} catch (PrivilegedActionException pae) {
					throw (IOException) new IOException().initCause(pae);
				}
			}
		}
		return rtvValue;
	}