RFR: 8319332: Security properties files inclusion [v18]

[Martin Balao]

On Wed, 7 Aug 2024 17:44:44 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Francisco Ferrari Bihurriet has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Throw an IllegalArgumentException exception if Security.setProperty("include", ...) is invoked.
>>   
>>   Co-authored-by: Martin Balao <mbalao at redhat.com>
>>   Co-authored-by: Francisco Ferrari Bihurriet <fferrari at redhat.com>
>
> src/java.base/share/classes/java/security/Security.java line 241:
> 
>> 239:             try {
>> 240:                 Path path = Path.of(expPropFile);
>> 241:                 if (!path.isAbsolute()) {
> 
> So you allow a properties file on the net to include a local absolute path file. Is this intended?

Yes, that's intended. Files obtained from a URL have no issues with having absolute-path includes. The only restriction for them is not to have relative includes, as there isn't a file path base to resolve it.

> src/java.base/share/conf/security/java.security line 45:
> 
>> 43: # "include" definition, if local. Paths may contain system properties for
>> 44: # expansion in the form of ${system.property}. If a system property does
>> 45: # not have a value, it expands to the empty string.
> 
> I mentioned this in a previous comment, but if java.security.properties points to an HTTP URL, can it still include a local file with absolute path?

Yes, that's intended as said above.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1707612026
PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1707614207