RFR: 8329213: Better validation for com.sun.security.ocsp.useget option [v2]
Aleksey Shipilev
shade at openjdk.org
Thu Mar 28 19:48:55 UTC 2024
On Thu, 28 Mar 2024 18:53:34 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> I thought so first too, but decided that `GetPropertyAction` is a better place for it, because it needs the generic `privilegedGetProperty`. It is also adjacent to `privilegedGetTimeoutProp` that returns `int`. Makes sense?
>
> Right, that's a good point because you need to get the string value of the property and not a boolean directly. Ok then.
>
> For a test, what do you think about adding another @run line to `GetAndPostTest` like:
>
> `* @run main/othervm -Dcom.sun.security.ocsp.useget=flase GetAndPostTests`
>
> and also modifying the POST code of test/jdk/java/security/testlibrary/SimpleOCSPServer.java to check that when the request is less than 255 bytes, the system property is set to "false" and nothing else? The server runs in the same process as the test, so I think that should work.
>
> This would help eliminate the possibility of the property accidentally not working in the future and reverting to GET instead of POST.
This looks easy/safe enough to do. See new commits. New version passes the `GetAndPostTests` and the whole `jdk_security`. For sensitivity test, I broke the option parsing and observed that `GetAndPostTests` fails as expected.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18525#discussion_r1543552012
More information about the security-dev
mailing list