RFR: 8319332: Security properties files inclusion [v18]
Martin Balao
mbalao at openjdk.org
Wed Aug 7 18:50:36 UTC 2024
On Wed, 7 Aug 2024 18:40:53 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Yes, that's intended. Files obtained from a URL have no issues with having absolute-path includes. The only restriction for them is not to have relative includes, as there isn't a file path base to resolve it.
>
> So you deploy some properties files locally but only use a remote file to decide which one to include? This is quite creative.
Yes, there are many combinations possible that may only apply to very specific cases. If a file brought from a URL includes something local, the system administrator has some knowledge or assumption about the context in which a served file will be used. I personally discourage the use of remote files anyways.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1707670088
More information about the security-dev
mailing list