RFD: FTP fallback of the 'file:' URL scheme
Eirik Bjørsnøs
eirbjo at gmail.com
Sat Mar 29 16:48:37 UTC 2025
Hi,
The long-standing FTP fallback feature supported by the 'file:' URL scheme
handler seems dubious to me:
1: It does not follow the principle of least surprise. At least for me,
it's a reasonable expectation that a file: URL should only interact with
files using only the file system. The current behavior may have made sense
in the early days of the JDK, today it seems a bit of an oddity.
2: It makes it harder to reason about security implications when a file:
URL can be used to open a network connection to remote hosts.
3: Using the 'ftp:' scheme explicitly seems a better option if anyone
really wants to connect using FTP.
4: While RFC 8089 [1] does define non-local file URLs, it has little to say
about their operations other than explicitly not "defining or forbidding"
them. The security consideration section mentions that "attempting to
perform local operations on a non-local URI, can result in security
problems."
May I suggest that we introduce a system property for this feature,
initially enabled by default? Users concerned by this feature may then use
this property to disable it. At a later point, we may consider switching
the default to false, in which case the same property may be used to
re-enable the feature.
The feature seems undocumented, but given Hyrum's law, we can probably
expect there is code out there relying on it, however rare FTP has become
these days.
Cheers,
Eirik
[1] https://www.rfc-editor.org/rfc/rfc8089.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/net-dev/attachments/20250329/dfa3282e/attachment.htm>
More information about the net-dev
mailing list