332980 – win32 java.library.path problems

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 332980 - win32 java.library.path problems

Summary: win32 java.library.path problems

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Equinox
Classification:	Eclipse Project
Component:	Launcher (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Project Inbox
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2010-12-20 17:31 EST by Andrew Niefer
Modified:	2019-05-14 16:28 EDT (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Niefer

2010-12-20 17:31:14 EST

On windows, the jvm automatically adds the current working directory to the java.library.path.  

The form of the java.library.path seems to be
<vm-specific-directories>;.;<vm-specific-directories>;<windows PATH>

This can be exploited in a manner similar to bug 325902 and bug 325294.

This affects java System.loadLibrary calls when the class loader returns null from ClassLoader.findLibrary


The way to fix this would be for the launcher to set the java.library.path property.  However, I do not like this at all because we have no way to know what the required vm-specific paths are.

Comment 1 Wayne Beaton

2012-01-13 12:06:00 EST

What is our status here? After more than a year, is it time to remove the committer-only restriction on this bug?

Comment 2 Wayne Beaton

2012-02-05 13:30:44 EST

(In reply to comment #1)
> What is our status here? After more than a year, is it time to remove the
> committer-only restriction on this bug?

Ping?

Comment 3 Wayne Beaton

2012-03-22 10:24:07 EDT

(In reply to comment #2)
> (In reply to comment #1)
> > What is our status here? After more than a year, is it time to remove the
> > committer-only restriction on this bug?
> 
> Ping?

Unless somebody can present me with a compelling reason to not do so, I will take the "committer-only" flag off this bug on my next pass through so-marked bugs.

Comment 4 Thomas Watson

2013-05-22 15:20:52 EDT

I'm wondering how this is any different than a normal java program.  I don't think there is much point in leaving the commiter-only group on here.

Comment 5 Wayne Beaton

2019-05-14 14:10:11 EDT

Per our policy, I have removed the committer-only flag.

Comment 6 Thomas Watson

2019-05-14 16:28:27 EDT

I'm not sure the current JVMs still have this issue.  Regardless, I don't see us changing this at this point in time.  To me it seems like a general issue (if it still exists) with the JVM itself.