Request for review: regression in jar url evaluation between JDK6 and OpenJDK7

Sean Mullan sean.mullan at oracle.com
Thu May 12 12:31:32 PDT 2011


Hi Omair,

Did you also file a corresponding bug report with this patch? I cannot find one. 
That would have helped, as it would have been less likely to have been missed.

I can file a bug on your behalf, or you can file one yourself via 
http://bugs.sun.com/bugdatabase/index.jsp but I can't make any guarantees this 
will get into JDK 7 at this point as we are really only concentrating on fixing 
critical showstopper bugs.

Thanks,
Sean

On 5/12/11 1:49 PM, Omair Majid wrote:
> Hi,
>
> Deepak Bhole posted this bug on the openjdk bugzilla a little while ago, but it
> seems to have fallen through the cracks:
>
> https://bugs.openjdk.java.net/show_bug.cgi?id=100142
>
> The bug report contains a test case and a patch for a regression in how jar urls
> are evaluated for security. With the Oracle JDK6, the result is:
>
> $ /usr/java/latest/bin/java JarProtocolPermissionTest
> jar:file:/usr/java/jdk1.6.0_24/jre/lib/ext/foo.jar!/ has
> java.security.AllPermission? : true
>
> While a recent build of OpenJDK7 gives a different result:
>
> $
> /home/omajid/code/hg.openjdk.java.net/jdk7/jdk7/build/linux-amd64/j2sdk-image/bin/java
> JarProtocolPermissionTest
> jar:file:/home/omajid/code/hg.openjdk.java.net/jdk7/jdk7/build/linux-amd64/j2sdk-image/jre/lib/ext/foo.jar!/
> has java.security.AllPermission? : false
>
> Is there anything I can do to get this in OpenJDK7?
>
> Thanks,
> Omair



More information about the security-dev mailing list