<AWT Dev>  Review request for 8154405: AccessControlException by URLPermission check
dmitry.markov at oracle.com
Wed Dec 13 07:38:48 UTC 2017
Please ignore the new version of the fix, (i.e. http://cr.openjdk.java.net/~dmarkov/8154405/webrev.01/). It was found out that the usage of fallback code introduces a potential security issue. So I will integrate the previous version of the fix, (i.e. http://cr.openjdk.java.net/~dmarkov/8154405/webrev.00/) which is already approved on this list.
Could you take a look at http://cr.openjdk.java.net/~dmarkov/8154405/webrev.00/ , please?
Thank you in advance,
> On 8 Dec 2017, at 11:19, Dmitry Markov <dmitry.markov at oracle.com> wrote:
> Reminder. Could you take look, please?
> Also I would like to clarify the purpose of the fallback mechanism introduced by the new version. The fallback code addresses the issue that users have not knowing what permission to grant because some connections, (e.g. HTTP) may be established by granting either URLPermission or SocketPermission and it is unclear what permission type is used for check by getImage() or createImage(). In fact this code fixes backward compatibility issue caused by switching from SocketPermission to URLPermission.
>> On 1 Dec 2017, at 18:07, Dmitry Markov <dmitry.markov at oracle.com <mailto:dmitry.markov at oracle.com>> wrote:
>> During the CSR review it was decided to update proposed fix. The new version is located at http://cr.openjdk.java.net/~dmarkov/8154405/webrev.01/ <http://cr.openjdk.java.net/~dmarkov/8154405/webrev.01/>
>> Could you review the new version, please?
>> The list of changes:
>> - Updated the description of Toolkit.getImage(URL u) and Toolkit.createImage(URL u) (made the wording less specific)
>> - Added some backward compatibility support to SunToolkit.checkPermission() and to the constructor of URLImageSource. Now if security check of URLPermission is failed we will check the corresponding SocketPermission.
>> - Added regression test.
>>> On 18 Nov 2017, at 15:30, Dmitry Markov <dmitry.markov at oracle.com <mailto:dmitry.markov at oracle.com>> wrote:
>>> I have created the following one https://bugs.openjdk.java.net/browse/JDK-8191531 <https://bugs.openjdk.java.net/browse/JDK-8191531>
>>>> On 17 Nov 2017, at 22:10, Sergey Bylokhov <sergey.bylokhov at oracle.com <mailto:sergey.bylokhov at oracle.com>> wrote:
>>>> On 17/11/2017 12:28, Dmitry Markov wrote:
>>>>> Thank you, Sergey! Shall I create a CSR for this?
>>>> yes we need a CSR.
>>>> Best regards, Sergey.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the awt-dev