RFR: 8319332: Security properties files inclusion [v18]
Weijun Wang
weijun at openjdk.org
Wed Aug 7 18:43:37 UTC 2024
On Wed, 7 Aug 2024 18:21:41 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> src/java.base/share/classes/java/security/Security.java line 241:
>>
>>> 239: try {
>>> 240: Path path = Path.of(expPropFile);
>>> 241: if (!path.isAbsolute()) {
>>
>> So you allow a properties file on the net to include a local absolute path file. Is this intended?
>
> Yes, that's intended. Files obtained from a URL have no issues with having absolute-path includes. The only restriction for them is not to have relative includes, as there isn't a file path base to resolve it.
So you deploy some properties files locally but only use a remote file to decide which one to include? This is quite creative.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1707655529
More information about the security-dev
mailing list