Please ignore the new version of the fix, (i.e. http://cr.openjdk.java.net/~dmarkov/8154405/webrev.01/). It was found out that the usage of fallback code introduces a potential security issue. So I will integrate the previous version of the fix, (i.e. http://cr.openjdk.java.net/~dmarkov/8154405/webrev.00/) which is already approved on this list.
Sean, Could you take a look at http://cr.openjdk.java.net/~dmarkov/8154405/webrev.00/ , please? Thank you in advance, Dmitry > On 8 Dec 2017, at 11:19, Dmitry Markov <dmitry.mar...@oracle.com> wrote: > > Reminder. Could you take look, please? > > Also I would like to clarify the purpose of the fallback mechanism introduced > by the new version. The fallback code addresses the issue that users have not > knowing what permission to grant because some connections, (e.g. HTTP) may be > established by granting either URLPermission or SocketPermission and it is > unclear what permission type is used for check by getImage() or > createImage(). In fact this code fixes backward compatibility issue caused by > switching from SocketPermission to URLPermission. > > Thanks, > Dmitry > >> On 1 Dec 2017, at 18:07, Dmitry Markov <dmitry.mar...@oracle.com >> <mailto:dmitry.mar...@oracle.com>> wrote: >> >> During the CSR review it was decided to update proposed fix. The new version >> is located at http://cr.openjdk.java.net/~dmarkov/8154405/webrev.01/ >> <http://cr.openjdk.java.net/~dmarkov/8154405/webrev.01/> >> Could you review the new version, please? >> >> The list of changes: >> - Updated the description of Toolkit.getImage(URL u) and >> Toolkit.createImage(URL u) (made the wording less specific) >> - Added some backward compatibility support to SunToolkit.checkPermission() >> and to the constructor of URLImageSource. Now if security check of >> URLPermission is failed we will check the corresponding SocketPermission. >> - Added regression test. >> >> Thanks, >> Dmitry >> >>> On 18 Nov 2017, at 15:30, Dmitry Markov <dmitry.mar...@oracle.com >>> <mailto:dmitry.mar...@oracle.com>> wrote: >>> >>> I have created the following one >>> https://bugs.openjdk.java.net/browse/JDK-8191531 >>> <https://bugs.openjdk.java.net/browse/JDK-8191531> >>> >>> Thanks, >>> Dmitry >>>> On 17 Nov 2017, at 22:10, Sergey Bylokhov <sergey.bylok...@oracle.com >>>> <mailto:sergey.bylok...@oracle.com>> wrote: >>>> >>>> On 17/11/2017 12:28, Dmitry Markov wrote: >>>>> Thank you, Sergey! Shall I create a CSR for this? >>>> >>>> yes we need a CSR. >>>> >>>> >>>> >>>> -- >>>> Best regards, Sergey. >>> >> >
