RFR: 8319332: Security properties files inclusion [v7]
Weijun Wang
weijun at openjdk.org
Fri Apr 19 13:04:59 UTC 2024
On Fri, 19 Apr 2024 12:58:32 GMT, Francisco Ferrari Bihurriet <fferrari at openjdk.org> wrote:
>> src/java.base/share/classes/java/security/Security.java line 256:
>>
>>> 254: } else if (Files.isDirectory(path)) {
>>> 255: throw new IOException("Is a directory");
>>> 256: } else {
>>
>> When would this happen?
>
> Hi @wangweij, to complement @martinuy's answer, the following commands can trigger this error message in the different described contexts:
>
> java -Djava.security.properties=file:///etc -XshowSettings:security:properties -Djava.security.debug=properties 2>&1 | head -22
> java -Djava.security.properties==/etc -XshowSettings:security:properties -Djava.security.debug=properties 2>&1 | head -22
> java -Djava.security.properties==<(echo include /etc) -XshowSettings:security:properties
>
>
> This is also exercised by the test case:
> https://github.com/openjdk/jdk/blob/d414fd56e583f321aaa944b61e27631b225b9fa3/test/jdk/java/security/Security/ConfigFileTest.java#L241-L245
Oh, I meant the final `else`. What does it mean if a file is neither "regular" nor "directory"? Also I don't quite understand why one uses `toRealPath` and one uses `toAbsolutePath`. Is this related to resolving a symlink?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1572336738
More information about the security-dev
mailing list