Request for review: regression in jar url evaluation between JDK6 and OpenJDK7

Omair Majid omajid at
Thu May 12 10:49:41 PDT 2011


Deepak Bhole posted this bug on the openjdk bugzilla a little while ago, 
but it seems to have fallen through the cracks:

The bug report contains a test case and a patch for a regression in how 
jar urls are evaluated for security. With the Oracle JDK6, the result is:

$ /usr/java/latest/bin/java JarProtocolPermissionTest
jar:file:/usr/java/jdk1.6.0_24/jre/lib/ext/foo.jar!/ has : true

While a recent build of OpenJDK7 gives a different result:

has : false

Is there anything I can do to get this in OpenJDK7?


More information about the security-dev mailing list