RFR: 8329213: Better validation for com.sun.security.ocsp.useget option [v2]
Sean Mullan
mullan at openjdk.org
Thu Mar 28 18:56:31 UTC 2024
On Thu, 28 Mar 2024 18:26:05 GMT, Aleksey Shipilev <shade at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/action/GetPropertyAction.java line 239:
>>
>>> 237: * will be returned.
>>> 238: */
>>> 239: public static boolean privilegedGetBooleanProp(String prop, boolean def, Debug dbg) {
>>
>> It probably makes more sense to put this method in the `GetBooleanAction` class.
>
> I thought so first too, but decided that `GetPropertyAction` is a better place for it, because it needs the generic `privilegedGetProperty`. It is also adjacent to `privilegedGetTimeoutProp` that returns `int`. Makes sense?
Right, that's a good point because you need to get the string value of the property and not a boolean directly. Ok then.
For a test, what do you think about adding another @run line to `GetAndPostTest` like:
`* @run main/othervm -Dcom.sun.security.ocsp.useget=flase GetAndPostTests`
and also modifying the POST code of test/jdk/java/security/testlibrary/SimpleOCSPServer.java to check that when the request is less than 255 bytes, the system property is set to "false" and nothing else? The server runs in the same process as the test, so I think that should work.
This would help eliminate the possibility of the property accidentally not working in the future and reverting to GET instead of POST.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18525#discussion_r1543488316
More information about the security-dev
mailing list