Request for review: regression in jar url evaluation between JDK6 and OpenJDK7

Sean Mullan sean.mullan at oracle.com
Thu May 12 13:42:37 PDT 2011 

On 5/12/11 4:08 PM, Omair Majid wrote:
> On 05/12/2011 03:31 PM, Sean Mullan wrote:
>> Hi Omair,
>>
>> Did you also file a corresponding bug report with this patch? I cannot
>> find one. That would have helped, as it would have been less likely to
>> have been missed.
>>
>
> No, I normally wait for an OpenJDK dev to look at the fix, comment and file a
> bug against the best component. It often turns out that my understanding of the
> bug is incomplete :)

I would suggest for now until we have an OpenJDK bug tracking system in place, 
you also file a bug or ask an Oracle engineer to file one on your behalf.

>
>> I can file a bug on your behalf, or you can file one yourself via
>> http://bugs.sun.com/bugdatabase/index.jsp but I can't make any
>> guarantees this will get into JDK 7 at this point as we are really only
>> concentrating on fixing critical showstopper bugs.
>>
>
> First of all, do you do agree that this is a problem/regression that should be
> addressed?

Yes.

> Is the fix correct?

I think the outcome is correct but I would need to more carefully analyze the 
diffs.

JDK 6 handles this a little differently, it creates a URLConnection, and then 
calls getPermission. The JAR implementation of URLConnection then returns a 
FilePermission object containing the path. This may be slightly less optimal 
than your fix, but it might be better to use that instead.

I can't figure out why this didn't make it into JDK 7. I don't have all of the 
history. AFAICT, this hasn't worked in JDK 7 for quite some time, but the code 
in JDK 6 that addresses this has been there since way back at least 1.4.

> I would appreciate it if you could file the bug -
> I believe only Oracle developers have the necessary privileges to make bugs
> public and assign it to themselves.

Will do.

> As for the fix getting into OpenJDK, as long as this fix gets into some OpenJDK
> branch, I am fine. I am not too bothered if it gets into OpenJDK8 or OpenJDK7
> (or an OpenJDK7 update). It's really up to you guys whether you want it in
> (proprietary) JDK7 or not - though I expect some users of the proprietary JDK7
> will be affected by this.

Ok. I'll make sure it gets into OpenJDK if not in 7 or an update then definitely 
in 8.

--Sean

>
>> Thanks,
>> Sean
>>
>
> No, _thank you_ for taking some time to look at the bug. I appreciate your
> efforts in trying to resolve this.
>
> Cheers,
> Omair
>
>> On 5/12/11 1:49 PM, Omair Majid wrote:
>>> Hi,
>>>
>>> Deepak Bhole posted this bug on the openjdk bugzilla a little while
>>> ago, but it
>>> seems to have fallen through the cracks:
>>>
>>> https://bugs.openjdk.java.net/show_bug.cgi?id=100142
>>>
>>> The bug report contains a test case and a patch for a regression in
>>> how jar urls
>>> are evaluated for security. With the Oracle JDK6, the result is:
>>>
>>> $ /usr/java/latest/bin/java JarProtocolPermissionTest
>>> jar:file:/usr/java/jdk1.6.0_24/jre/lib/ext/foo.jar!/ has
>>> java.security.AllPermission? : true
>>>
>>> While a recent build of OpenJDK7 gives a different result:
>>>
>>> $
>>> /home/omajid/code/hg.openjdk.java.net/jdk7/jdk7/build/linux-amd64/j2sdk-image/bin/java
>>>
>>>
>>> JarProtocolPermissionTest
>>> jar:file:/home/omajid/code/hg.openjdk.java.net/jdk7/jdk7/build/linux-amd64/j2sdk-image/jre/lib/ext/foo.jar!/
>>>
>>>
>>> has java.security.AllPermission? : false
>>>
>>> Is there anything I can do to get this in OpenJDK7?
>>>
>>> Thanks,
>>> Omair
>

More information about the security-dev mailing list