[security-dev 00759]: hg: jdk7/tl/jdk: 3 new changesets
Changeset: 0b3660c68262 Author:alanb Date: 2009-04-15 14:53 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/0b3660c68262 6795561: (bf) CharBuffer.subSequence() uses wrong capacity value for new buffer Reviewed-by: sherman, iris ! src/share/classes/java/nio/ByteBufferAs-X-Buffer.java ! src/share/classes/java/nio/Direct-X-Buffer.java ! src/share/classes/java/nio/Heap-X-Buffer.java ! src/share/classes/java/nio/StringCharBuffer.java ! test/java/nio/Buffer/Basic-X.java ! test/java/nio/Buffer/Basic.java ! test/java/nio/Buffer/BasicByte.java ! test/java/nio/Buffer/BasicChar.java ! test/java/nio/Buffer/BasicDouble.java ! test/java/nio/Buffer/BasicFloat.java ! test/java/nio/Buffer/BasicInt.java ! test/java/nio/Buffer/BasicLong.java ! test/java/nio/Buffer/BasicShort.java Changeset: 44b6b2a4dd04 Author:alanb Date: 2009-04-15 16:16 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/44b6b2a4dd04 6543863: (fc) FileLock.release can deadlock with FileChannel.close 6429910: (fc) FileChannel.lock() IOException: Bad file number, not AsynchronousCloseException 6814948: (fc) test/java/nio/channels/AsynchronousFileChannel/Lock.java failed intermittently 6822643: (fc) AsynchronousFileChannel.close does not invalidate FileLocks Reviewed-by: sherman ! src/share/classes/sun/nio/ch/AsynchronousFileChannelImpl.java ! src/share/classes/sun/nio/ch/FileChannelImpl.java ! src/share/classes/sun/nio/ch/FileLockImpl.java ! src/share/classes/sun/nio/ch/FileLockTable.java ! src/share/classes/sun/nio/ch/SimpleAsynchronousFileChannelImpl.java ! src/windows/classes/sun/nio/ch/WindowsAsynchronousFileChannelImpl.java ! src/windows/native/sun/nio/ch/FileDispatcherImpl.c ! test/java/nio/channels/AsynchronousFileChannel/Basic.java ! test/java/nio/channels/AsynchronousFileChannel/Lock.java + test/java/nio/channels/FileChannel/ReleaseOnCloseDeadlock.java Changeset: ca94dcd8c4fb Author:alanb Date: 2009-04-17 09:38 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/ca94dcd8c4fb Merge - src/share/native/java/util/zip/ZipEntry.c
[security-dev 00760]: hg: jdk7/tl/jaxws: 2 new changesets
Changeset: 99fc62f032a7 Author:ramap Date: 2009-03-09 15:32 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/jaxws/rev/99fc62f032a7 6536193: Fix the flaw in UTF8XmlOutput Reviewed-by: tbell ! src/share/classes/com/sun/xml/internal/bind/v2/runtime/output/UTF8XmlOutput.java Changeset: f89f252678be Author:asaha Date: 2009-04-10 13:05 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/jaxws/rev/f89f252678be Merge
[security-dev 00762]: Re: Code review request: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
On Apr 17, 2009, at 10:08 PM, Christopher Hegarty - Sun Microsystems Ireland wrote: Hi Max, I'm not overly familiar with this code, so another reviewer would be prudent. The changes look fine. I have just two minor comments: 1) In handle(Callback[]) I'd move the call to getAnswer from L83 and L86 and put it before the if statement. I expect that an unsupported callback would be rare. In fact, the handler is called inside JDK. Two of them, one with one NameCallback, and another with one PasswordCallback. However, I would like handle() to look more general. 2) I don't see that you need to set the default values for the class members username and answered. I actually believe that Suns javac generates more unnecessary bytecode to set these values. Correct. Thanks Max As I said the comments are minor (feel free to ignore them). Otherwise looks good. -Chris. Weijun Wang wrote: Hi Chris/Valerie Can you take a review on a related bug. I found it when I wrote the test for the previous one. 6829283: HTTP/Negotiate: Authenticator triggered again when user cancels the first one http://cr.openjdk.java.net/~weijun/6829283/webrev.00/ Basically, it's because for HTTP/Negotiate, it's ... - Callback - Authenticator We have 2 callbacks (user and pass) in JAAS, but there's only 1 Authenticator (doing user and pass at the same time). If user cancels the first call, we shouldn't bother her again. Thanks Max Max Wang (Weijun) wrote: Hi Chris A new webrev is created at http://cr.openjdk.java.net/~weijun/6578647/webrev.01 Now all HttpCallerInfo creations are inline, so the diff is much clearer. There's one place I didn't call toLowerCase(), the call is moved into NegotiatorImpl right before the service principal name is created. I also add a test, putting two Kerberos KDC, one HTTP server, one proxy server in a single regression test is fun! Thanks Mx On Apr 14, 2009, at 8:55 PM, Max (Weijun) Wang wrote: On Apr 14, 2009, at 5:59 PM, Christopher Hegarty - Sun Microsystems Ireland wrote: Hi Max, I only looked at the networking part of the changes. They look fine, I just have a few questions/comments: 1) sun.net.www.protocol.http.HttpURLConnection Can you use the same HttpCallerInfo instance for proxy authentication at line 1108? This instance has been created using the single arg constructor therefore it is has authType = RequestorType.SERVER, right? Yes, you're right. Will update tomorrow. 2) sun.net.www.protocol.http.HttpCallerInfo It is just my preference, but I would prefer to see all the fields of HttpCallerInfo private and have simple accessors: private final String host; .. public String host() { return host; } .. Your suggestion is more formal. But I think making all fields final is also sufficient to make it immutable. 3) Are the changes to use HttpCallerInfo in AuthenticationHeader, HttpURLConnection, NegotiateAuthentication and NegotiatorImpl strictly necessary? They seem to be changed just for consistency of using the new class. I only see that NegotiateCallbackHandler is required to use this new class on the networking side. There needs a way to transfer these info into the JGSS underneath (so that NegotiateCallbackHandler has a chance to know them), and the only bridge is inside NegotiatorImpl. I don't know if there's a better way to do this. The HttpClient class seems having similar info but sometimes it's null and I don't know why. Sorry if I reinvent a wheel-cart to carry these info. Thanks Max This is not a problem just a question to see if I understand correctly the changes. -Chris. On 04/13/09 03:27, Weijun Wang wrote: Hi Valerie and Networking guys Please take a review at this bug fix: http://cr.openjdk.java.net/~weijun/6578647/webrev.00/ The bug is http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6578647 The bug report says that no URL-related info is available in Authenticator when using HTTP/Negotiate. The reason is that in the long stack of HTTP/Negotiate - JGSS - JAAS - Krb5LoginModule - Callback - Authenticator The URL info is lost. In order to support special actions for HTTP/Negotiate calls in JGSS (say, using Authenticator instead of text-based callback, honor the OK-AS-DELEGATE flag...), we already used an integer field (caller) to tell the codes deep below who initiates the JGSS calls. It seems an integer is not enough to carry too much information. (oh, I love the C void*) The fix is simple: change the caller from integer to a Java class: GSSCaller, which includes as much as info it likes. For HTTP/ Negotiate, a child class HttpCaller, encapsulates all info an Authenticator needs. The fix includes three parts: 1. Three new classes: sun.sec.jgss.GSSCaller: the new caller sun.sec.jgss.HttpCaller: a child of GSSCaller, knows everything about HTTP sun.net.www.protocol.http.HttpCallerInfo: the info GSSCaller knows, this class is
[security-dev 00763]: hg: jdk7/tl/jdk: 31 new changesets
Changeset: fb2ccb7c50c7 Author:wetmore Date: 2008-08-22 18:48 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/fb2ccb7c50c7 6497740: Limit the size of RSA public keys Reviewed-by: andreas, valeriep, vinnie ! src/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java ! src/share/classes/sun/security/pkcs11/P11KeyStore.java ! src/share/classes/sun/security/pkcs11/P11RSAKeyFactory.java ! src/share/classes/sun/security/pkcs11/SunPKCS11.java ! src/share/classes/sun/security/rsa/RSAKeyFactory.java ! src/share/classes/sun/security/rsa/RSAKeyPairGenerator.java ! src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java ! src/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java ! src/share/classes/sun/security/rsa/RSAPublicKeyImpl.java ! src/windows/classes/sun/security/mscapi/RSAKeyPairGenerator.java ! src/windows/classes/sun/security/mscapi/RSASignature.java Changeset: 8e51a219fc3b Author:weijun Date: 2008-10-01 10:01 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/8e51a219fc3b 6588160: jaas krb5 client leaks OS-level UDP sockets (all platforms) Reviewed-by: jccollet, chegar ! src/share/classes/sun/security/krb5/KrbKdcReq.java ! src/share/classes/sun/security/krb5/internal/UDPClient.java Changeset: 150a441a305d Author:ksrini Date: 2008-09-04 09:43 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/150a441a305d 6733959: Insufficient checks for Main-Class manifest entry in JAR files Summary: Fixes a buffer overrun problem with a very long Main-Class attribute. Reviewed-by: darcy ! src/share/bin/emessages.h ! src/share/bin/java.c ! test/tools/launcher/MultipleJRE.sh + test/tools/launcher/ZipMeUp.java Changeset: ec336f0e23f4 Author:okutsu Date: 2008-10-02 16:49 +0900 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/ec336f0e23f4 6734167: Calendar.readObject allows elevation of privileges Reviewed-by: peytoia ! src/share/classes/java/util/Calendar.java Changeset: 135c5fe2ee42 Author:bae Date: 2008-10-02 20:37 +0400 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/135c5fe2ee42 6726779: ConvolveOp on USHORT raster can cause the JVM crash. Reviewed-by: igor, prr ! src/share/native/sun/awt/medialib/awt_ImagingLib.c + test/java/awt/image/ConvolveOp/EdgeNoOpCrash.java Changeset: 9d1033f65e4b Author:alanb Date: 2008-10-09 21:12 +0100 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/9d1033f65e4b 6721753: File.createTempFile produces guessable file names Reviewed-by: sherman ! src/share/classes/java/io/File.java Changeset: 3c567ab34788 Author:ksrini Date: 2008-10-17 09:43 -0700 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/3c567ab34788 6755943: Java JAR Pack200 Decompression should enforce stricter header checks Summary: Fixes a core dump when fed with a faulty pack file and related malicious take over Reviewed-by: jrose ! make/common/shared/Defs-windows.gmk ! src/share/native/com/sun/java/util/jar/pack/bytes.cpp ! src/share/native/com/sun/java/util/jar/pack/defines.h ! src/share/native/com/sun/java/util/jar/pack/main.cpp ! src/share/native/com/sun/java/util/jar/pack/unpack.cpp ! src/share/native/com/sun/java/util/jar/pack/unpack.h ! src/share/native/com/sun/java/util/jar/pack/utils.cpp ! src/share/native/com/sun/java/util/jar/pack/utils.h + test/tools/pack200/MemoryAllocatorTest.java Changeset: 0291de857e51 Author:bae Date: 2008-12-03 13:34 +0300 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/0291de857e51 6766136: corrupted gif image may cause crash in java splashscreen library. Reviewed-by: prr, art ! src/share/native/sun/awt/splashscreen/splashscreen_gfx_impl.h ! src/share/native/sun/awt/splashscreen/splashscreen_gif.c Changeset: dfb09d805b2d Author:prr Date: 2008-12-24 15:48 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/dfb09d805b2d 6652463: MediaSize constructors allow to redefine the mapping of standard MediaSizeName values Reviewed-by: igor, jgodinez ! src/share/classes/javax/print/attribute/standard/MediaSize.java + test/javax/print/attribute/MediaMappingsTest.java Changeset: a8ec0998704e Author:weijun Date: 2008-12-30 10:42 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/a8ec0998704e 6717680: LdapCtx does not close the connection if initialization fails Reviewed-by: vinnie, xuelei ! src/share/classes/com/sun/jndi/ldap/LdapCtx.java Changeset: 6a4e03cc03bb Author:prr Date: 2009-01-05 11:28 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/6a4e03cc03bb 6632886: Font.createFont can be persuaded to leak temporary files 6522586: Enforce limits on Font creation 6652929: Font.createFont(int,File) trusts File.getPath Reviewed-by: igor ! src/share/classes/java/awt/Font.java + src/share/classes/sun/font/CreatedFontTracker.java ! src/share/classes/sun/font/FileFont.java ! src/share/classes/sun/font/FontManager.java + test/java/awt/FontClass/CreateFont/A.ttf +