Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8354678

Disable FTP fallback for non-local file URLs by default

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P4 P4
    • 25
    • core-libs
    • None
    • behavioral
    • low
    • Hide
      The feature being disabled is undocumented and based on interpretations of old RFCs which have later been supplanted. Public, anonymous and insecure FTP servers are increasingly rare. Affected code can use explicit FTP URLs instead or choose or re-enable the FTP fallback via the system property introduced in this change.

      Non-local file URLs for which a successful FTP connection cannot be made would previously cause an UnknownHostException, ConnectException or similar IOException while attempring to read from the fallback FtpURLConnection. There is a possibility that code exists which expects to catch these exceptions. Such code would need to be updated to handle the MalformedURLException thrown upon rejection of non-local URLs instead, or re-enable the FTP fallback via the property.
      Show
      The feature being disabled is undocumented and based on interpretations of old RFCs which have later been supplanted. Public, anonymous and insecure FTP servers are increasingly rare. Affected code can use explicit FTP URLs instead or choose or re-enable the FTP fallback via the system property introduced in this change. Non-local file URLs for which a successful FTP connection cannot be made would previously cause an UnknownHostException, ConnectException or similar IOException while attempring to read from the fallback FtpURLConnection. There is a possibility that code exists which expects to catch these exceptions. Such code would need to be updated to handle the MalformedURLException thrown upon rejection of non-local URLs instead, or re-enable the FTP fallback via the property.
    • System or security property
    • JDK

      Summary

      Disable by default the long-standing but unspecified feature which causes a non-local file URL to be resolved using an FtpURLConnection.

      A non-local file URL is a 'file:' URL with a host component which is not 'localhost', like 'file://example.com/folder/data.txt'. See definitions in RFC 8089.

      Problem

      From the very early days of the JDK, non-local file URLs would be attempted resolved using FTP.

      This was probably based on some interpretation of RFC 1738 section 3.10. The more modern RFC 8089 does mention non-local file URLs, but does not specify their behavior in any way. Attempting to resolve file URLs using FTP may be considered a surprising behavior with modern standards in mind.

      This fallback feature may have made sense when it was implemented, but less so today. Opening a network socket when resolving a 'file:' URL may be surprising and makes reasoning about security aspects more difficult.

      Public, anonymous, unencrypted FTP servers are increasingly rare today, and clients needing to resolve files using FTP should be using URLs with the FTP scheme insead or use alternative, more secure network protocols.

      RFC 8089 Section 5 indeed warns that Treating a non-local file URI as local, or otherwise attempting to perform local operations on a non-local URI, can result in security problems.

      Solution

      Disable the FTP fallback feature by default, allowing it to be re-enabled via a system property. When the feature is not explicitly enabled, make the JDK reject opening the URL connection by throwing a MalformedURLException with an appropriate message.

      In the release this change is shipped, include a release note explaining that the feature has been disabled by default, and that it can be re-enabled by configuration.

      The Windows implementation of Handler::openConnection attempts to resolve the file by converting it to a UNC path, then checking if it exists using File::exists. This testing for existing UNC paths happens before the FTP fallback and is therefore unaffected by this proposed change.

      Specification

      A new system property jdk.net.file.ftpfallback is introduced and documented in java/net/doc-files/net-properties.html:

      diff --git a/src/java.base/share/classes/java/net/doc-files/net-properties.html b/src/java.base/share/classes/java/net/doc-files/net-properties.html
index 684c90a8164..4b9b62f1ed8 100644
--- a/src/java.base/share/classes/java/net/doc-files/net-properties.html
+++ b/src/java.base/share/classes/java/net/doc-files/net-properties.html
@@ -169,6 +169,17 @@ <H2>Proxies</H2>
    globally through their user interface). Note that this property is
    checked only once at startup.</P>
 </UL>
+<a id="FileHandler"></a>
+<H2>File URL stream protocol handler properties</H2>
+<P>The following properties are used to configure the handler for URLs with the {@code file://} scheme:</P>
+<UL>
+   <LI><P><B>{@systemProperty jdk.net.file.ftpfallback}</B> (default: &lt;false&gt;)<BR>
+       The {@code file://} handler by default rejects any non-local file URL (as defined by RFC 8089)
+       as invalid. Setting this property to <B>true</B> enables a legacy feature where
+       the handler instead opens an FTP connection for such non-local URLs.</P>
+       <P>Any modern code should use explicit {@code ftp://} URLs instead and not rely on
+           enabling this legacy FTP fallback feature.</P>
+</UL>
 <a id="MiscHTTP"></a>
 <H2>Misc HTTP URL stream protocol handler properties</H2>
 <UL>

      The new property is also documented in release notes.

            eirbjo Eirik Bjørsnøs
            eirbjo Eirik Bjørsnøs
            Daniel Fuchs
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: