On 5/12/11 4:08 PM, Omair Majid wrote:
On 05/12/2011 03:31 PM, Sean Mullan wrote:
Hi Omair,
Did you also file a corresponding bug report with this patch? I cannot
find one. That would have helped, as it would have been less likely to
have been missed.
No, I normally wait for an OpenJDK dev to look at the fix, comment and file a
bug against the best component. It often turns out that my understanding of the
bug is incomplete :)
I would suggest for now until we have an OpenJDK bug tracking system in place,
you also file a bug or ask an Oracle engineer to file one on your behalf.
I can file a bug on your behalf, or you can file one yourself via
http://bugs.sun.com/bugdatabase/index.jsp but I can't make any
guarantees this will get into JDK 7 at this point as we are really only
concentrating on fixing critical showstopper bugs.
First of all, do you do agree that this is a problem/regression that should be
addressed?
Yes.
Is the fix correct?
I think the outcome is correct but I would need to more carefully analyze the
diffs.
JDK 6 handles this a little differently, it creates a URLConnection, and then
calls getPermission. The JAR implementation of URLConnection then returns a
FilePermission object containing the path. This may be slightly less optimal
than your fix, but it might be better to use that instead.
I can't figure out why this didn't make it into JDK 7. I don't have all of the
history. AFAICT, this hasn't worked in JDK 7 for quite some time, but the code
in JDK 6 that addresses this has been there since way back at least 1.4.
I would appreciate it if you could file the bug -
I believe only Oracle developers have the necessary privileges to make bugs
public and assign it to themselves.
Will do.
As for the fix getting into OpenJDK, as long as this fix gets into some OpenJDK
branch, I am fine. I am not too bothered if it gets into OpenJDK8 or OpenJDK7
(or an OpenJDK7 update). It's really up to you guys whether you want it in
(proprietary) JDK7 or not - though I expect some users of the proprietary JDK7
will be affected by this.
Ok. I'll make sure it gets into OpenJDK if not in 7 or an update then definitely
in 8.
--Sean
Thanks,
Sean
No, _thank you_ for taking some time to look at the bug. I appreciate your
efforts in trying to resolve this.
Cheers,
Omair
On 5/12/11 1:49 PM, Omair Majid wrote:
Hi,
Deepak Bhole posted this bug on the openjdk bugzilla a little while
ago, but it
seems to have fallen through the cracks:
https://bugs.openjdk.java.net/show_bug.cgi?id=100142
The bug report contains a test case and a patch for a regression in
how jar urls
are evaluated for security. With the Oracle JDK6, the result is:
$ /usr/java/latest/bin/java JarProtocolPermissionTest
jar:file:/usr/java/jdk1.6.0_24/jre/lib/ext/foo.jar!/ has
java.security.AllPermission? : true
While a recent build of OpenJDK7 gives a different result:
$
/home/omajid/code/hg.openjdk.java.net/jdk7/jdk7/build/linux-amd64/j2sdk-image/bin/java
JarProtocolPermissionTest
jar:file:/home/omajid/code/hg.openjdk.java.net/jdk7/jdk7/build/linux-amd64/j2sdk-image/jre/lib/ext/foo.jar!/
has java.security.AllPermission? : false
Is there anything I can do to get this in OpenJDK7?
Thanks,
Omair
