Do you have this example loaded on a web page somewhere, or could you attach the compiled class to the bug? Would make things easier. So Mozilla on Linux doesn't have this problem, only Firefox on Linux? The linux-only part doesn't bother me if there's some bug in the JRE port, but I thought Mozilla and Firefox shared all the same Java glue code. I'd really like to blame this on Java, but if Mozilla works and Firefox doesn't... Kyle, any ideas?
Hi!, sorry but I spent my last two weeks on holidays. About your questions: - No, I haven't a web page somewhere, and I can't send you the compiled class because it's on my computer at office. Maybe I will send it to you Monday. - Yes, only Firefox on Linux. Mozilla doesn't have this problem. Bye, Ivano Picco
Ok, I made a simple webpage whith a working example of the bug. This is the link: http://www.mandrile-melis.it/aqupi-temp/java-bug/ it works, it loads the google homepage (without images) and a local webpage.
Tested with Mozilla 1.7.2 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040803, This version HAS THE BUG TOO (is it a gecko issue??). I learn much more about the URLConnection methods, and i found that is possible to make an output connection with the same code I give in the example above. See this link: http://www.ictp.trieste.it/~manuals/programming/Java/tutorial/networking/urls/readingWriting.html With this you can get any local file (/etc/passwd???) (because the applet is signed, so it's possible to get access to local file (it's a correct behaviour)) and send it to any remote host (by the bug) different from which the applet is loaded (also ftp).
Also tested in Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a4) Gecko/20040927, the bug is still here..... Could you please confirm this bug?
Are you sure this isn't a JRE bug? Several sandbox vulnerabilities have been announced since your rather old version. Get 1.4.2_06 at least.
Ok, it's true.. I try with: java version "1.5.0_01" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_01-b08) Java HotSpot(TM) Client VM (build 1.5.0_01-b08, mixed mode, sharing) Thanks for your help.