RFR: 8330542: Add jaxp-strict.properties in preparation for a secure by default configuration [v8]
Alan Bateman
alanb at openjdk.org
Fri May 17 06:24:07 UTC 2024
On Thu, 16 May 2024 22:20:39 GMT, Joe Wang <joehw at openjdk.org> wrote:
>> Add two sample configuration files:
>>
>> jaxp-strict.properties: used to set strict configuration, stricter than jaxp.properties in previous versions such as JDK 22
>>
>>> jaxp-compat.properties: used to regain compatibility from any more restricted configuration than previous versions such as JDK 22
>>
>> Updated 5/16/2024
>>
>> Design change:
>> The design is changed to include in the JDK two configuration files that are the default jaxp.properties and jaxp-strict.properties, instead of three, dropping jaxp-compat.properties.
>
> Joe Wang has updated the pull request incrementally with one additional commit since the last revision:
>
> remove jaxp-compat.properties from the list
src/java.xml/share/conf/jaxp-strict.properties line 9:
> 7: # test the more secure/strict behavior, identify issues such as a processor
> 8: # unknowingly makes outbound network connections to fetch DTD, or processes XML
> 9: # that relies on extension functions.
There isn't a JEP to propose that XML processing be secure by default on the technical roadmap right now so I think this paragraph will need to be tweaked to avoid making any assumptions. I think just say that the file provides the settings for more secure XML processing and drop the text about testing (and "and create your own configuration file for the experiment" from the paragraph below).
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1604405287
More information about the build-dev
mailing list