Request for review: regression in jar url evaluation between JDK6 and OpenJDK7

Omair Majid omajid at
Thu May 12 13:08:01 PDT 2011

On 05/12/2011 03:31 PM, Sean Mullan wrote:
> Hi Omair,
> Did you also file a corresponding bug report with this patch? I cannot
> find one. That would have helped, as it would have been less likely to
> have been missed.

No, I normally wait for an OpenJDK dev to look at the fix, comment and 
file a bug against the best component. It often turns out that my 
understanding of the bug is incomplete :)

> I can file a bug on your behalf, or you can file one yourself via
> but I can't make any
> guarantees this will get into JDK 7 at this point as we are really only
> concentrating on fixing critical showstopper bugs.

First of all, do you do agree that this is a problem/regression that 
should be addressed? Is the fix correct? I would appreciate it if you 
could file the bug - I believe only Oracle developers have the necessary 
privileges to make bugs public and assign it to themselves.

As for the fix getting into OpenJDK, as long as this fix gets into some 
OpenJDK branch, I am fine. I am not too bothered if it gets into 
OpenJDK8 or OpenJDK7 (or an OpenJDK7 update). It's really up to you guys 
whether you want it in (proprietary) JDK7 or not - though I expect some 
users of the proprietary JDK7 will be affected by this.

> Thanks,
> Sean

No, _thank you_ for taking some time to look at the bug. I appreciate 
your efforts in trying to resolve this.


> On 5/12/11 1:49 PM, Omair Majid wrote:
>> Hi,
>> Deepak Bhole posted this bug on the openjdk bugzilla a little while
>> ago, but it
>> seems to have fallen through the cracks:
>> The bug report contains a test case and a patch for a regression in
>> how jar urls
>> are evaluated for security. With the Oracle JDK6, the result is:
>> $ /usr/java/latest/bin/java JarProtocolPermissionTest
>> jar:file:/usr/java/jdk1.6.0_24/jre/lib/ext/foo.jar!/ has
>> : true
>> While a recent build of OpenJDK7 gives a different result:
>> $
>> /home/omajid/code/
>> JarProtocolPermissionTest
>> jar:file:/home/omajid/code/!/
>> has : false
>> Is there anything I can do to get this in OpenJDK7?
>> Thanks,
>> Omair

More information about the security-dev mailing list