Request for review: regression in jar url evaluation between JDK6 and OpenJDK7

Sean Mullan sean.mullan at
Thu May 12 12:31:32 PDT 2011

Hi Omair,

Did you also file a corresponding bug report with this patch? I cannot find one. 
That would have helped, as it would have been less likely to have been missed.

I can file a bug on your behalf, or you can file one yourself via but I can't make any guarantees this 
will get into JDK 7 at this point as we are really only concentrating on fixing 
critical showstopper bugs.


On 5/12/11 1:49 PM, Omair Majid wrote:
> Hi,
> Deepak Bhole posted this bug on the openjdk bugzilla a little while ago, but it
> seems to have fallen through the cracks:
> The bug report contains a test case and a patch for a regression in how jar urls
> are evaluated for security. With the Oracle JDK6, the result is:
> $ /usr/java/latest/bin/java JarProtocolPermissionTest
> jar:file:/usr/java/jdk1.6.0_24/jre/lib/ext/foo.jar!/ has
> : true
> While a recent build of OpenJDK7 gives a different result:
> $
> /home/omajid/code/
> JarProtocolPermissionTest
> jar:file:/home/omajid/code/!/
> has : false
> Is there anything I can do to get this in OpenJDK7?
> Thanks,
> Omair

More information about the security-dev mailing list