RFR: 8356997: /etc/krb5.conf parser should not forbid include/includedir directives after sections

Mikhail Yankelevich myankelevich at openjdk.org
Wed May 28 11:20:53 UTC 2025 

On Fri, 23 May 2025 18:41:17 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Several changes are made:
> 
> 1. The "include" and "includedir" directives can appear everywhere, even inside a section or a sub-section. However, it only means the content is inserted here but the included file still need its own full structure -- from section to subsections.
> 2. The same file can be included multiple times as long as not recursively.
> 3. Everything is merged. For duplicated values, `get` returns the first one and `getAll` returns all joining by spaces.
> 
> Two new tests added. I also separately confirmed that they are parsed in the same way as [MIT krb5](https://github.com/krb5/krb5/blob/master/src/util/profile/test_parse.c). MIT krb5 ignores directory name after "include" but here it's an error.

src/java.security.jgss/share/classes/sun/security/krb5/Config.java line 774:

> 772:                     result.add(previous);
> 773:                     unwritten.forEach(result::add);
> 774:                     unwritten.clear();

I don't think this code is covered by the tests at all.
I have found 2 simple ways to test it:
1. change the line 62-66 in IncludeDup from 
 ```java
for (var inc : List.of("outside", "beginsec", "insec", "insec2",
                "insubsec", "endsubsec", "endsec")) {
            Files.writeString(Path.of(inc), String.format("""
                    [a]
                    b = {
                        c = %s
                    }
                    """, inc));
        }

to 
``` 
for (var inc : List.of("outside", "beginsec", "insec", "insec2",
                "insubsec", "endsubsec", "endsec")) {
            Files.writeString(Path.of(inc), String.format("""
                    [a]
                    b = 
                    { c = %s
                    }
                    """, inc));
        }

2. change `krb5.conf` EXAMPLE_3.COM from
``` java

   EXAMPLE_3.COM = {
	kdc = kdc.example.com
	kdc = kdc2.example.com
	inner =
	{
		aaa = nnn
	}
   }

to 
```java 

   EXAMPLE_3.COM = {
	kdc = kdc.example.com
	kdc = kdc2.example.com
	inner =
	{ aaa = nnn
	}
   }
``` 

There are other ways to cover this as well as writing it's own test case, however I feel that it might be an overkill for this.
What do you think?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/25421#discussion_r2111597022

More information about the security-dev mailing list