[security-dev 00648]: Re: Please review:

Weijun Wang Weijun.Wang at Sun.COM
Tue Mar 3 09:22:46 UTC 2009


Thanks, both suggestions accepted.

Max

Alan Bateman wrote:
> Weijun Wang wrote:
>> Xuelei Fan wrote:
>>  
>>> Max,
>>>
>>> I'm not satisfied with the fix, it try to read the *first* 1024 files in
>>> the "java.io.tmpdir", I don't know the order of the iterator of
>>> java.nio.file.Path.newDirectoryStream(), but if the order sounds like by
>>> name, by creation time, etc. I don't think the randomness is strong
>>> enough.
>>>     
>>
>> Correct. On a server with too many tmp files not get deleted, the first
>> 1024 will always be the same.
>>
>> New webrev:
>>   http://cr.openjdk.java.net/~weijun/6705872/webrev.01/
>>
>> Now I choose the file for random. To be 100% identical to the old codes
>> when there are not many files, I always choose the first 512 files.
>>   
> It's an awkward issue. Your proposed changes does reduce the randomness
> for directories with > 1024 entries but that probably isn't worth
> worrying about.
> 
> Two comments on the code:
> 
> 1. The elements returned by the directory stream's iterator are Path
> objects that that the entry resolved against the directory. So if you
> are enumerating the entries in /var/tmp then the elements will represent
> /var/tmp/a, /var/tmp/b, etc. I assume you actually want
> path.getName().toString().getBytes().
> 
> 2. The directory stream should be closed in a finally block (it's
> possible that the next/hasNext methods used by the iterator can throw an
> exception, in which case you would leave the directory stream open).
> 
> -Alan.
> 
> 
> 



More information about the security-dev mailing list