RFR: 8211752: JNU_ThrowIOExceptionWithLastErrorAndPath - enhance some IOExceptions with path causing the issue

Sean Mullan sean.mullan at oracle.com
Thu Nov 8 19:36:09 UTC 2018 

On 11/7/18 3:52 AM, Baesken, Matthias wrote:
>> Sorry, I haven't had time to look at this in more detail yet. But, let's
>> take a step back first. Can you or Matthias explain in more detail why
>> this fix is necessary? What are the use cases and motivation?
> 
> Hello,
>      adding paths  (or maybe more details)  to exception messages just makes analyzing errors easier.
> You do not get just "Bad path",  but also the real bad path which gives you a hint where to look and analyze further .

File paths are, in general, always something that demands extra scrutiny 
as it can be the source of security issues (privacy leaks, traversal 
attacks, etc). It's not just me that thinks that way, you can do a 
search on the Internet and find lots of references.

> That's why we introduced it in our JVM ages ago.
> I have to agree that additionally  printing cwd / user.dir is a bit special,  so I omit that from this revision of the patch.
> This makes the patch more simple.
> New revision :
> 
> http://cr.openjdk.java.net/~mbaesken/webrevs/8211752.1/
> 
> 
> Unfortunately the usage of sun.security.util.SecurityProperties  (which was considered)  in the  static { ... }
> class initializers (e.g. UnixFileSystem.java) just does not work.
> It fails with already in the build (!) with :
> 
> Error occurred during initialization of boot layer
> java.lang.ExceptionInInitializerError
> Caused by: java.lang.NullPointerException
> 
> (seems it is too early in the game for SecurityProperties).
> (btw. this is another  NOT very helpful exception error message)
> 
> 
> So I unfortunately had to go back to using system properties.
> 
> 
> Btw. another question regarding path output in exceptions  :
> you seem to consider it a bad thing  to (unconditionally) print paths in the exception messages,
> but then on the other hand we have  it  already in OpenJDK UnixFileSystem_md.c :
> 
>   269 JNIEXPORT jboolean JNICALL
>   270 Java_java_io_UnixFileSystem_createFileExclusively(JNIEnv *env, jclass cls,
>   271                                                   jstring pathname)
>   272 {
>   .......
>   277         /* The root directory always exists */
>   278         if (strcmp (path, "/")) {
>   279             fd = handleOpen(path, O_RDWR | O_CREAT | O_EXCL, 0666);
>   280             if (fd < 0) {
>   281                 if (errno != EEXIST)
>   282                     JNU_ThrowIOExceptionWithLastError(env, path);
>   283             } else {
>   284                 if (close(fd) == -1)
>   285                     JNU_ThrowIOExceptionWithLastError(env, path);
> 
> 
> Why is it fine here for a long time , but considered harmful at the other places ?
> If we want to be consistent, we should then  write  "Bad path" here (or  allow the path output at the other places too ).

It might be perfectly fine and your usage might be ok too. But I'll need 
some time to evaluate it further. I am not familiar with the code in 
this part of the JDK.

I would also see if you can think about the security issues as well. 
Where do these paths come from? What are the application use cases that 
invoke these lower methods? From application code or elsewhere? Are 
relative paths used? Are paths containing ".." canonicalized? Are they 
arbitrary paths or a fixed set of paths? Do they ever contain sensitive 
information like home directory user names, etc?

Once we understand if there are any security issues, then we can decide 
if allowing that via a system property is acceptable or not, and if so 
the security risks that we would have to document for that property.

Thanks,
Sean

> 
> 
> Thanks, Matthias
> 
> 
> 
>> -----Original Message-----
>> From: Sean Mullan <sean.mullan at oracle.com>
>> Sent: Freitag, 12. Oktober 2018 17:19
>> To: Langer, Christoph <christoph.langer at sap.com>; Baesken, Matthias
>> <matthias.baesken at sap.com>; Alan Bateman <Alan.Bateman at oracle.com>;
>> security-dev at openjdk.java.net; core-libs-dev at openjdk.java.net
>> Subject: Re: RFR: 8211752: JNU_ThrowIOExceptionWithLastErrorAndPath -
>> enhance some IOExceptions with path causing the issue
>>
>> On 10/12/18 10:33 AM, Langer, Christoph wrote:
>>> Sean, what is your take on this?
>>
>> Sorry, I haven't had time to look at this in more detail yet. But, let's
>> take a step back first. Can you or Matthias explain in more detail why
>> this fix is necessary? What are the use cases and motivation? The bug
>> report doesn't go into any detail about that and there isn't anything
>> in the initial RFR email that explains why this change is useful or
>> necessary. As a general guideline or advice, RFEs should include this
>> type of information so that Reviewers understand more of the context and
>> motivation behind the change.
>>
>> Thanks,
>> Sean

More information about the core-libs-dev mailing list