Request for review: regression in jar url evaluation between JDK6 and OpenJDK7
Omair Majid
omajid at redhat.com
Thu May 12 20:08:01 UTC 2011
On 05/12/2011 03:31 PM, Sean Mullan wrote:
> Hi Omair,
>
> Did you also file a corresponding bug report with this patch? I cannot
> find one. That would have helped, as it would have been less likely to
> have been missed.
>
No, I normally wait for an OpenJDK dev to look at the fix, comment and
file a bug against the best component. It often turns out that my
understanding of the bug is incomplete :)
> I can file a bug on your behalf, or you can file one yourself via
> http://bugs.sun.com/bugdatabase/index.jsp but I can't make any
> guarantees this will get into JDK 7 at this point as we are really only
> concentrating on fixing critical showstopper bugs.
>
First of all, do you do agree that this is a problem/regression that
should be addressed? Is the fix correct? I would appreciate it if you
could file the bug - I believe only Oracle developers have the necessary
privileges to make bugs public and assign it to themselves.
As for the fix getting into OpenJDK, as long as this fix gets into some
OpenJDK branch, I am fine. I am not too bothered if it gets into
OpenJDK8 or OpenJDK7 (or an OpenJDK7 update). It's really up to you guys
whether you want it in (proprietary) JDK7 or not - though I expect some
users of the proprietary JDK7 will be affected by this.
> Thanks,
> Sean
>
No, _thank you_ for taking some time to look at the bug. I appreciate
your efforts in trying to resolve this.
Cheers,
Omair
> On 5/12/11 1:49 PM, Omair Majid wrote:
>> Hi,
>>
>> Deepak Bhole posted this bug on the openjdk bugzilla a little while
>> ago, but it
>> seems to have fallen through the cracks:
>>
>> https://bugs.openjdk.java.net/show_bug.cgi?id=100142
>>
>> The bug report contains a test case and a patch for a regression in
>> how jar urls
>> are evaluated for security. With the Oracle JDK6, the result is:
>>
>> $ /usr/java/latest/bin/java JarProtocolPermissionTest
>> jar:file:/usr/java/jdk1.6.0_24/jre/lib/ext/foo.jar!/ has
>> java.security.AllPermission? : true
>>
>> While a recent build of OpenJDK7 gives a different result:
>>
>> $
>> /home/omajid/code/hg.openjdk.java.net/jdk7/jdk7/build/linux-amd64/j2sdk-image/bin/java
>>
>> JarProtocolPermissionTest
>> jar:file:/home/omajid/code/hg.openjdk.java.net/jdk7/jdk7/build/linux-amd64/j2sdk-image/jre/lib/ext/foo.jar!/
>>
>> has java.security.AllPermission? : false
>>
>> Is there anything I can do to get this in OpenJDK7?
>>
>> Thanks,
>> Omair
More information about the security-dev
mailing list