Page History

...

This noncompliant code example describes a security vulnerability from the Java 1.5 java.io package. In this release, java.io.File is nonfinal, allowing an attacker to supply an untrusted argument constructed by extending the legitimate File class. In this manner, the getPath() method can be overridden so that the security check passes the first time it is called but the value changes the second time to refer to a sensitive file such as /etc/passwd. This is an example of time-of-check, time-of-use (TOCTOU) vulnerability.

public RandomAccessFile openFile(final java.io.File f) {
  askUserPermission(f.getPath());
  // ...
  return (RandomAccessFile)AccessController.doPrivileged(new PrivilegedAction <Object>() {
    public Object run() {
      return new RandomAccessFile(f, f.getPath());
    }
  });
}

The attacker could extend java.io.File as follows:

public class BadFile extends java.io.File {
  private int count;
  public String getPath() {
    return (++count == 1) ? "/tmp/foo" : "/etc/passwd";
  }
}

...

This compliant solution ensures that the java.io.File object can be trusted despite not being final. The solution creates a new File object using the standard constructor. This ensures that any methods invoked on the File object are the standard library methods and not overriding methods that have been provided by the attacker.

public RandomAccessFile openFile(java.io.File f) {
  final java.io.File copy = new java.io.File(f.getPath());
  askUserPermission(copy.getPath());
  // ...
  return (RandomAccessFile)AccessController.doPrivileged(new PrivilegedAction <Object>() {
    public Object run() {
      return new RandomAccessFile(copy, copy.getPath());
    }
  });
}

...

Android Implementation Details

The code examples using the java.security package are not applicable to Android but the principle of the rule is applicable to Android apps.

Bibliography

      14. Platform Security (SEC)