Request for review: regression in jar url evaluation between JDK6 and OpenJDK7
Omair Majid
omajid at redhat.com
Thu May 12 17:49:41 UTC 2011
Hi,
Deepak Bhole posted this bug on the openjdk bugzilla a little while ago,
but it seems to have fallen through the cracks:
https://bugs.openjdk.java.net/show_bug.cgi?id=100142
The bug report contains a test case and a patch for a regression in how
jar urls are evaluated for security. With the Oracle JDK6, the result is:
$ /usr/java/latest/bin/java JarProtocolPermissionTest
jar:file:/usr/java/jdk1.6.0_24/jre/lib/ext/foo.jar!/ has
java.security.AllPermission? : true
While a recent build of OpenJDK7 gives a different result:
$
/home/omajid/code/hg.openjdk.java.net/jdk7/jdk7/build/linux-amd64/j2sdk-image/bin/java
JarProtocolPermissionTest
jar:file:/home/omajid/code/hg.openjdk.java.net/jdk7/jdk7/build/linux-amd64/j2sdk-image/jre/lib/ext/foo.jar!/
has java.security.AllPermission? : false
Is there anything I can do to get this in OpenJDK7?
Thanks,
Omair
More information about the security-dev
mailing list