NPE is used in javax.security.auth.Subject for flowcontrol
Mkrtchyan, Tigran
tigran.mkrtchyan at desy.de
Fri Apr 24 08:21:18 UTC 2020
Dear Java-SE security developers,
Imagine a following code:
```
Subject s1 = ... ;
Subject s2 = ... ;
s2.getPrincipals().addAll(s1.getPrincipals());
```
The Subject's SecureSet.addAll checks that provided Set doesn't contains 'null' values
by calling collectionNullClean, which calls SecureSet#contains:
```
try {
hasNullElements = coll.contains(null);
} catch (NullPointerException npe) {
```
The SecureSet#contains itself checks for 'null' values, the NPE is always generated.
This as introduced by commit e680ab7f208e
https://hg.openjdk.java.net/jdk/jdk/diff/e680ab7f208e/jdk/src/share/classes/javax/security/auth/Subject.java
As SecureSet doesn't allow null values, it will be much simpler to return false right away:
```
public boolean contains(Object o) {
if (o == null) {
// null values rejected by add
return false;
}
...
}
```
Thanks in advance,
Tigran.
More information about the security-dev
mailing list