Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.2.1
-
None
-
Java security manager enabled
Description
We're using Velocity 1.7, which depends upon Commons Collections 3.x series' ExtendedProperties class.
ExtendedProperties has these constructors where it looks up the file separator using the least convenient means possible:
public ExtendedProperties() { this.fileSeparator = System.getProperty("file.separator"); // ... }
For us, this is all being called from untrusted code, so this fails with AccessControlException.
I think that instead of using the system property here, it is customary to use the File.separator constant.
If you absolutely must use System.getProperty() to fetch this value, it should at least be done from a doPrivileged() block.
Also I had a quick check of Commons Collections 4 to see if this issue had been fixed, but couldn't immediately see what happened to this class. If it did turn out to have been fixed in v4, maybe Velocity could be encouraged to update to v4, but I haven't seen any updates from them in 4 years, so it's probably not a good sign.