RFR: 8319332: Security properties files inclusion

Alan Bateman alanb at openjdk.org
Fri Nov 3 05:46:01 UTC 2023 

On Thu, 2 Nov 2023 22:20:02 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>> src/java.base/share/classes/java/security/Security.java line 243:
>> 
>>> 241:             if (connection instanceof FileURLConnection fileConnection) {
>>> 242:                 // A local file URL can be interpreted as a Path
>>> 243:                 loadFromPath(fileConnection.getFile().toPath(), mode);
>> 
>> Ugh, shouldn't be direct using FileURLConnection here. Instead I think you should check if the url scheme is "file" (equalsIgnoreCase). If it is then use `Path.of(url.toURI())`.
>
> Checking for _file_ in the URL scheme is not conclusive evidence that there is a local file path behind. I'll give a couple of examples. In Unix/Linux platforms, an URL of the form `file://example.com/path/to/some/file.txt` is processed with a remote FTP request (see Unix `sun.net.www.protocol.file.Handler`). In Windows, file URLs may be interpreted as UNCs but, if not possible, there is an FTP fallback (see Windows `sun.net.www.protocol.file.Handler`). While checking the host name in the URL is possible, there are three types of drawbacks: 1) a DNS query during the Security class initialization process should be avoided, 2) looking for hardcoded host names such as _localhost_ might lead to false negatives (i.e. a host is considered remote when it is not), and 3) there will be platform-specific and duplicated logic to deal with UNC file URLs. In addition, OpenJDK supports ill-formed relative path file URLs such as `file:some/relative/path`. In these cases, there is not a host name 
 but there is a local file path underneath (relative to the current working directory). We did not find normative elements in [RFC 8089](https://www.rfc-editor.org/rfc/rfc8089) for all previously described behaviors, that would have been helpful for a URL-based check. Misinterpreting a file URL as remote will unnecessarily block the possibility of relative path includes.
> 
> We think that `FileURLConnection` is the most accurate indicator of a local file path because it includes the decision logic that is specific to OpenJDK and varies depending on the platform.

> Checking for file in the URL scheme is not conclusive evidence that there is a local file path behind. I'll give a couple of examples.

With NFS and other other remote file systems then you can never tell either. Some of us have been wanting the ftp fallback go away, it comes up every few years.

My concern is creating dependency on a protocol handler implementation, we should make sure that all other options are explored before going there.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1381179403

More information about the security-dev mailing list