RFR: 8319332: Security properties files inclusion [v7]

Francisco Ferrari Bihurriet fferrari at openjdk.org
Fri Apr 19 13:01:03 UTC 2024 

On Wed, 17 Apr 2024 14:30:02 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Francisco Ferrari Bihurriet has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 11 commits:
>> 
>>  - Merge 'openjdk/master' into JDK-8319332
>>  - Merge 'openjdk/master' into JDK-8319332
>>    
>>    Conflict in ConfigFileTest.java solved by keeping our file, which had
>>    been previously adjusted.
>>    
>>    Commands:
>>      git merge upstream/master
>>      git restore --ours -- test/jdk/java/security/Security/ConfigFileTest.java
>>      git add test/jdk/java/security/Security/ConfigFileTest.java
>>      git merge --continue
>>  - 8319332: Adjust code for JDK-8319673 changes
>>    
>>    JDK-8319673: Few security tests ignore VM flags
>>    
>>    Next, we will merge the openjdk/master branch and ignore the conflict in
>>    this file.
>>    
>>    Co-authored-by: Martin Balao <mbalao at redhat.com>
>>    Co-authored-by: Francisco Ferrari Bihurriet <fferrari at redhat.com>
>>  - 8319332: Update copyright and ConfigFileTest.java.
>>    
>>    Bump copyright year to 2024 in all the modified files.
>>    
>>    Remove leaked host name from children JVMs debug command.
>>    
>>    Extract Executor::addSystemPropertiesAsJvmArgs from Executor::execute
>>    and rename 'allJvmArgs' to 'command'. Also split class name and
>>    RUNNER_ARG addition to 'command' as two separated command.add() calls.
>>    
>>    Co-authored-by: Martin Balao <mbalao at redhat.com>
>>    Co-authored-by: Francisco Ferrari Bihurriet <fferrari at redhat.com>
>>  - Merge 'openjdk/master' into JDK-8319332
>>  - 8319332: Fix corner-case regression with bash pipe
>>    
>>    Extra properties files provided through bash pipes used to work before
>>    this enhancement, restore their behaviour.
>>    
>>    Also take advantage to use Files::isRegularFile, Files::isDirectory and
>>    Files::exists APIs instead of converting from Path to File.
>>    
>>    Linux reproducers (sub-shell, stdin, and combination of both):
>>    
>>    java -XshowSettings:security:properties                      \
>>         -Djava.security.properties==<(echo name=value)          \
>>         -Djava.security.debug=properties -version
>>    
>>    echo name=value | java -XshowSettings:security:properties    \
>>         -Djava.security.properties==/dev/stdin                  \
>>         -Djava.security.debug=properties -version
>>    
>>    echo name=value | java -XshowSettings:security:properties    \
>>         -Djava.security.properties==<(echo include /dev/stdin)  \
>>         -Djava.security.debug=properties...
>
> src/java.base/share/classes/java/security/Security.java line 256:
> 
>> 254:             } else if (Files.isDirectory(path)) {
>> 255:                 throw new IOException("Is a directory");
>> 256:             } else {
> 
> When would this happen?

Hi @wangweij, to complement @martinuy's answer, the following commands can trigger this error message in the different described contexts:

java -Djava.security.properties=file:///etc -XshowSettings:security:properties -Djava.security.debug=properties 2>&1 | head -22
java -Djava.security.properties==/etc -XshowSettings:security:properties -Djava.security.debug=properties 2>&1 | head -22
java -Djava.security.properties==<(echo include /etc) -XshowSettings:security:properties


This is also exercised by the test case:
https://github.com/openjdk/jdk/blob/d414fd56e583f321aaa944b61e27631b225b9fa3/test/jdk/java/security/Security/ConfigFileTest.java#L241-L245

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1572330885

More information about the security-dev mailing list