RFR: JDK-8288207: Enhance MalformedURLException in Uri.parseCompat
Matthias Baesken
mbaesken at openjdk.java.net
Fri Jun 10 13:44:58 UTC 2022
On Fri, 10 Jun 2022 13:15:11 GMT, Alan Bateman <alanb at openjdk.org> wrote:
> We have to be cautious about leaking security sensitive configuration in exception messages. Can you look at the security property jdk.includeInException (conf/security/java.security) and usages in the JDK for ideas on how this might be implemented as opt-in?
Hi Alan , sure we could use something like the already existing hostInfo of property jdk.includeInException
private static final boolean enhancedExceptionText = SecurityProperties.includedInExceptions("hostInfo");
and make the enhancement optional/switchable this way.
On the other hand we already print the url (_**Cannot parse url: ldap://ad_jbs.ttt.net:389/xyz**_ ) in the existing exception text so I wonder what additional problem the added info would bring? That's why I did not use the property so far.
But if you think there could be special cases were it would be problematic to have the enhancement, I'll add the usage of the property.
-------------
PR: https://git.openjdk.org/jdk/pull/9126
More information about the security-dev
mailing list