Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 332980

Summary: win32 java.library.path problems
Product: [Eclipse Project] Equinox Reporter: Andrew Niefer <aniefer>
Component: LauncherAssignee: Project Inbox <equinox.launcher-inbox>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: P3 CC: jdmiles, remy.suen, tjwatson, wayne.beaton
Version: unspecifiedKeywords: security
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Whiteboard:

Description Andrew Niefer CLA 2010-12-20 17:31:14 EST 
On windows, the jvm automatically adds the current working directory to the java.library.path.  

The form of the java.library.path seems to be
<vm-specific-directories>;.;<vm-specific-directories>;<windows PATH>

This can be exploited in a manner similar to bug 325902 and bug 325294.

This affects java System.loadLibrary calls when the class loader returns null from ClassLoader.findLibrary


The way to fix this would be for the launcher to set the java.library.path property.  However, I do not like this at all because we have no way to know what the required vm-specific paths are.
Comment 1 Wayne Beaton CLA 2012-01-13 12:06:00 EST 
What is our status here? After more than a year, is it time to remove the committer-only restriction on this bug?
Comment 2 Wayne Beaton CLA 2012-02-05 13:30:44 EST 
(In reply to comment #1)
> What is our status here? After more than a year, is it time to remove the
> committer-only restriction on this bug?

Ping?
Comment 3 Wayne Beaton CLA 2012-03-22 10:24:07 EDT 
(In reply to comment #2)
> (In reply to comment #1)
> > What is our status here? After more than a year, is it time to remove the
> > committer-only restriction on this bug?
> 
> Ping?

Unless somebody can present me with a compelling reason to not do so, I will take the "committer-only" flag off this bug on my next pass through so-marked bugs.
Comment 4 Thomas Watson CLA 2013-05-22 15:20:52 EDT 
I'm wondering how this is any different than a normal java program.  I don't think there is much point in leaving the commiter-only group on here.
Comment 5 Wayne Beaton CLA 2019-05-14 14:10:11 EDT 
Per our policy, I have removed the committer-only flag.
Comment 6 Thomas Watson CLA 2019-05-14 16:28:27 EDT 
I'm not sure the current JVMs still have this issue.  Regardless, I don't see us changing this at this point in time.  To me it seems like a general issue (if it still exists) with the JVM itself.