8348986: Improve coverage of enhanced exception messages #23929
Conversation
|
👋 Welcome back michaelm! A progress list of the required criteria for merging this PR into |
|
@Michael-Mc-Mahon This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 10 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
|
@Michael-Mc-Mahon The following labels will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
|
/csr needed |
|
@Michael-Mc-Mahon has indicated that a compatibility and specification (CSR) request is needed for this pull request. @Michael-Mc-Mahon please create a CSR request for issue JDK-8348986 with the correct fix version. This pull request cannot be integrated until the CSR request is approved. |
Thanks, I will take another look at all these cases and update any that I agree need to be included. |
src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java
Outdated
Show resolved
Hide resolved
src/java.naming/share/classes/com/sun/jndi/toolkit/url/Uri.java
Outdated
Show resolved
Hide resolved
| String scheme = uri.getScheme(); | ||
| if (scheme != null && !scheme.equals("rmi")) { | ||
| throw new MalformedURLException("invalid URL scheme: " + str); | ||
| throw newMalformedURLException("invalid URL scheme:", str); |
There was a problem hiding this comment.
| throw newMalformedURLException("invalid URL scheme:", str); | |
| throw new MalformedURLException(formatMsg("invalid URL scheme%s", filterNonSocketInfo(str).prefixWith(": ").replaceWith(": rmi")); |
Co-authored-by: Daniel Fuchs <[email protected]>
|
Thanks for the suggestions. I have committed all of them except for two. One, I will modify in another way. |
|
The last change to java.net.HostPortrange (renaming the constructor parameter) has caused a problem. The parameter is hiding a field of the same name. I need to fix that now. |
| if (index == -1) | ||
| throw new MalformedURLException("no !/ found in url spec:" + s); | ||
| throw new MalformedURLException( | ||
| formatMsg("no !/ found in url spec%s", filterJarName(s).prefixWith(": "))); |
There was a problem hiding this comment.
JMOD files can only be used at compile time and link time. So I think you can drop the changes jmod stream handler.
| # names, host names, or port numbers. By default, socket related exceptions | ||
| # have this information restricted (meaning the sensitive details are removed). |
There was a problem hiding this comment.
I found the "By default ..." sentence a little confusing, since other categories are also restricted by default. My initial thought is to just remove this sentence, as reading further will make it more clear that the hostInfoExclSocket category is the only one that is not restricted by default. Alternatively, you could flip the meaning of this sentence and say which exceptions are not restricted by default.
There was a problem hiding this comment.
Fair point. I think we can make this clearer with a small addition. I propose to add the following sentence after the one starting "By default ..."
# Exception messages relating to Jar files and exceptions containing user
# identity information are also restricted by default.
There was a problem hiding this comment.
I would change "Jar" to "JAR" as I think that is the more common form and used in other places in this file. Looks fine otherwise.
dfuch
left a comment
dfuch
left a comment
There was a problem hiding this comment.
Thanks for the last updates Michael. I believe we're good now!
|
/integrate |
|
Going to push as commit b6f827e.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
|
@Michael-Mc-Mahon Pushed as commit b6f827e. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
6 participants
Hi,
Enhanced exception messages are designed to hide sensitive information such as hostnames, IP
addresses from exception message strings, unless the enhanced mode for the specific category
has been explicitly enabled. Enhanced exceptions were first introduced in 8204233 in JDK 11 and
updated in 8207846.
This PR aims to increase the coverage of enhanced exception messages in the networking code.
A limited number of exceptions are already hidden (restricted) by default. The new categories and
exceptions in this PR will be restricted on an opt-in basis, ie. the default mode will be enhanced
(while preserving the existing behavior).
The mechanism is controlled by the security/system property "jdk.includeInExceptions" which takes as value
a comma separated list of category names, which identify groups of exceptions where the exception
message may be enhanced. Any category not listed is "restricted" which means that potentially
sensitive information (such as hostnames, IP addresses, user identities) are excluded from the message text.
The changes to the java.security conf file describe the exact changes in terms of the categories now
supported and any changes in behavior.
Thanks,
Michael
Progress
Issues
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/23929/head:pull/23929$ git checkout pull/23929Update a local copy of the PR:
$ git checkout pull/23929$ git pull https://git.openjdk.org/jdk.git pull/23929/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 23929View PR using the GUI difftool:
$ git pr show -t 23929Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/23929.diff
Using Webrev
Link to Webrev Comment