[9] RFR 8159488 "Deprivilege java.xml.crypto" and 8161171 "Missed the make/common/Modules.gmk file when integrating JDK-8154191"
Valerie Peng
valerie.peng at oracle.com
Mon Jul 18 21:38:23 UTC 2016
Hi Sean,
I found these two classes in java.xml.crypto module reading local files:
src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/keys/storage/implementations/CertsInFilesystemDirectoryResolver.java
src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/JavaUtils.java
If you think the File reading permission is not needed for
java.xml.crypto module, I will remove the corresponding permission entry.
Thanks,
Valerie
On 7/18/2016 12:48 PM, Sean Mullan wrote:
> On 07/13/2016 08:10 PM, Valerie Peng wrote:
>> Sean,
>>
>> Can you please review the following two webrevs?
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8159488
>> Webrev: http://cr.openjdk.java.net/~valeriep/8159488/
>
> Looks good except for this one:
>
> 127 // needed for reading Certs
> 128 permission java.io.FilePermission "<<ALL FILES>>","read";
>
> Why is that needed?
>
>>
>> While making changes for 8159488, I noticed a problem with my earlier
>> putback of 8154191 - the top level Modules.gmk was not integrated.
>> So, I filed 8161171: Missed the make/common/Modules.gmk file when
>> integrating JDK-8154191.
>> Can you also review this? It's essentially the same change as the one
>> reviewed.
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8161171
>> Webrev: http://cr.openjdk.java.net/~valeriep/8161171/webrev.00/
>
> I'll skip this since Mandy already reviewed that one.
>
> --Sean
More information about the security-dev
mailing list