RFR: JDK-8243376: java.net.SocketPermission.implies(Permission p) spec is mismatching with implementation [v4]
Michael McMahon
michaelm at openjdk.java.net
Mon Feb 8 14:45:42 UTC 2021
On Fri, 5 Feb 2021 11:50:01 GMT, Jayashree S Kumar <github.com+31532647+jaysk1 at openjdk.org> wrote:
>> Issue
>>
>> https://bugs.openjdk.java.net/browse/JDK-8243376
>>
>> Problem
>>
>> The scenario is:
>> - Some specified target hostname resolves to two IP addresses (always the same address pair).
>> - The DNS resolved order of the two ip addresses changes (a usual LoadBalancer type behavior).
>> - The CNAME of the two ip addresses differ.
>>
>> In SocketPermission class(void getIP() method), it internally resolves and saves only the first IP address resolved, not all the IP addresses resolved.
>> - Depending on when the implier/implied SocketPermission hostname is resolved, the resolved addresses order differs, and the internally saved IP address mismatches, resulting on SocketPermission#implies() false.
>>
>>
>> Michael McMahon kindly reviewed and suggested changes: https://mail.openjdk.java.net/pipermail/net-dev/2020-May/014001.html
>
> Jayashree S Kumar has updated the pull request incrementally with one additional commit since the last revision:
>
> Code Review: cname made array accounting for multiple cname values
Changes requested by michaelm (Reviewer).
src/java.base/share/classes/java/net/SocketPermission.java line 674:
> 672: }
> 673: } catch (UnknownHostException uhe) {
> 674: invalid = true;
The try() catch{} should be inside the for loop because each lookup failure should be handled independently. If any of them fails then set that cnames entry to null. The check for cname in the match() method needs to check for null and return false in that case. At the end of the loop then check if at least one cname exists. If there are none, then invalid can be set to true.
-------------
PR: https://git.openjdk.java.net/jdk/pull/1916
More information about the net-dev
mailing list