RFR: 8281561: Disable http DIGEST mechanism with MD5 by default [v2]
Daniel Fuchs
dfuchs at openjdk.java.net
Wed Mar 9 15:56:03 UTC 2022
On Wed, 9 Mar 2022 15:18:02 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:
>> Michael McMahon has updated the pull request incrementally with two additional commits since the last revision:
>>
>> - update
>> - update after first review round
>
> src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java line 85:
>
>> 83: public String run() {
>> 84: return Security.getProperty(secPropName)
>> 85: .replaceAll("\\s", "")
>
> `Security.getProperty` may return `null` so replacement should only be made after checking that it is non null.
Maybe `String.trim()` should be called on each element after splitting instead: you want to remove spaces before and after commas, not necessarily spaces within a name. "MD 5, SHA-256" probably shouldn't be parsed as "MD5,SHA-256".
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list