[security-dev 00647]: Re: Please review:

[Alan Bateman]

Weijun Wang wrote:
> Xuelei Fan wrote:
>   
>> Max,
>>
>> I'm not satisfied with the fix, it try to read the *first* 1024 files in
>> the "java.io.tmpdir", I don't know the order of the iterator of
>> java.nio.file.Path.newDirectoryStream(), but if the order sounds like by
>> name, by creation time, etc. I don't think the randomness is strong enough.
>>     
>
> Correct. On a server with too many tmp files not get deleted, the first
> 1024 will always be the same.
>
> New webrev:
>   http://cr.openjdk.java.net/~weijun/6705872/webrev.01/
>
> Now I choose the file for random. To be 100% identical to the old codes
> when there are not many files, I always choose the first 512 files.
>   
It's an awkward issue. Your proposed changes does reduce the randomness 
for directories with > 1024 entries but that probably isn't worth 
worrying about.

Two comments on the code:

1. The elements returned by the directory stream's iterator are Path 
objects that that the entry resolved against the directory. So if you 
are enumerating the entries in /var/tmp then the elements will represent 
/var/tmp/a, /var/tmp/b, etc. I assume you actually want 
path.getName().toString().getBytes().

2. The directory stream should be closed in a finally block (it's 
possible that the next/hasNext methods used by the iterator can throw an 
exception, in which case you would leave the directory stream open).

-Alan.