RFR [11] 8207846: Generalize the jdk.net.includeInExceptions security property
Roger Riggs
roger.riggs at oracle.com
Fri Jul 20 13:52:29 UTC 2018
Hi Chris,
It is very unusual for the processing of system properties to do *any*
parsing except for delimiters
including removing spaces, etc. It complicates the handling and sets a
bad precedent
that makes it more complex for users and developers to know how to set
property values.
The whitespace trimming should be removed.
$.02, Roger
On 7/20/18 7:38 AM, Chris Hegarty wrote:
> JDK-8204233 added a new security property, `jdk.net.includeInExceptions`,
> to include additional, potentially security sensitive, information in
> exception detail messages in the networking area. The property accepts a
> comma separated list of values that specifies the particular type of
> extra detail information to add.
>
> Since its addition, in JDK 11, further uses have arisen to include
> additional, potentially security sensitive, information in exception
> detail messages in other areas, namely the java.util.jar APIs. See
> JDK-8205525, and http://mail.openjdk.java.net/pipermail/core-libs-dev/2018-July/054284.html
>
> Given that this mechanism will likely be used more generally across
> different parts of the platform, it seem prudent to rename the property
> to be less area-specific, thus allowing for additional argument values
> to be specified, like for example `jarPath`.
>
> The following are the suggested changes to the java.security file:
>
> $ hg extdiff -p diff -o -C1 src/java.base/share/conf/security/java.security
> *** 1062,1074 ****
>
> #
> ! # Enhanced exception message text
> #
> ! # By default, socket exception messages do not include potentially sensitive
> ! # information such as hostnames or port numbers. This property may be set to one
> ! # or more values, separated by commas, and with no white-space. Each value
> ! # represents a category of enhanced information. Currently, the only category defined
> ! # is "hostInfo" which enables more detailed information in the IOExceptions
> ! # thrown by java.net.Socket and also the socket types in the java.nio.channels package.
> ! # The setting in this file can be overridden by a system property of the same name
> ! # and with the same syntax and possible values.
> ! #jdk.net.includeInExceptions=hostInfo
> --- 1062,1084 ----
>
> +
> + #
> + # Enhanced exception message information
> + #
> + # By default, several exception messages do not include potentially sensitive
> + # information such as file names, host names, or port numbers. This property may
> + # be used to enable categories of enhanced information in exception messages.
> + # The property accepts one or more comma separated values, each of which
> + # represents a category of enhanced exception message information to enable.
> + # Values are case-insensitive. Leading and trailing whitespaces, surrounding
> + # each value, are ignored. Unknown values are ignored.
> + #
> + # The categories, to enable enhanced exception message information, are:
> + #
> + # hostInfo - IOExceptions thrown by java.net.Socket and also the socket types
> + # in the java.nio.channels package will contain enhanced exception
> + # message information
> #
> ! # The property setting in this file can be overridden by a system property of
> ! # the same name, with the same syntax and possible values.
> #
> ! #jdk.includeInExceptions=hostInfo
>
>
> Full webrev:
> http://cr.openjdk.java.net/~chegar/8207846/webrev.00/
>
> -Chris.
>
> P.S. It appears that jtreg does not support quoted system property values
> with spaces on the @run line. I’ll file an issue against jtreg for this.
>
More information about the security-dev
mailing list