Request for review: regression in jar url evaluation between JDK6 and OpenJDK7

Omair Majid omajid at redhat.com
Thu May 12 10:49:41 PDT 2011


Hi,

Deepak Bhole posted this bug on the openjdk bugzilla a little while ago, 
but it seems to have fallen through the cracks:

https://bugs.openjdk.java.net/show_bug.cgi?id=100142

The bug report contains a test case and a patch for a regression in how 
jar urls are evaluated for security. With the Oracle JDK6, the result is:

$ /usr/java/latest/bin/java JarProtocolPermissionTest
jar:file:/usr/java/jdk1.6.0_24/jre/lib/ext/foo.jar!/ has 
java.security.AllPermission? : true

While a recent build of OpenJDK7 gives a different result:

$ 
/home/omajid/code/hg.openjdk.java.net/jdk7/jdk7/build/linux-amd64/j2sdk-image/bin/java 
JarProtocolPermissionTest
jar:file:/home/omajid/code/hg.openjdk.java.net/jdk7/jdk7/build/linux-amd64/j2sdk-image/jre/lib/ext/foo.jar!/ 
has java.security.AllPermission? : false

Is there anything I can do to get this in OpenJDK7?

Thanks,
Omair



More information about the security-dev mailing list