-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
8, 25
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
The java.security.CodeSource.implies(CodeSource) method incorrectly returns false when the implying CodeSource has a URL with a wildcard host (e.g., *.example.com) and the implied CodeSource has a specific host (e.g., www.example.com), even though the specific host falls under the wildcard. This seems to occur because the specific host's name gets resolved to an IP address during the SocketPermission comparison, preventing a successful endsWith check against the wildcard host.
---------- BEGIN SOURCE ----------
import java.security.CodeSource;
import java.net.URL;
public class TestWildcardHost {
public static void main(String[] args) throws Exception {
URL thisURL = new URL("http", "*.example.com", "/file");
URL thatURL = new URL("http", "www.example.com", "/file");
System.out.println(thisURL);
System.out.println(thatURL);
CodeSource thisCs = new CodeSource(thisURL,(java.security.cert.Certificate[]) null);
CodeSource thatCs = new CodeSource(thatURL, (java.security.cert.Certificate[])null);
boolean result = thisCs.implies(thatCs); // expect true
if (!result) {
throw new RuntimeException("*.example.com can't implies www.example.com");
}
}
}
---------- END SOURCE ----------
The java.security.CodeSource.implies(CodeSource) method incorrectly returns false when the implying CodeSource has a URL with a wildcard host (e.g., *.example.com) and the implied CodeSource has a specific host (e.g., www.example.com), even though the specific host falls under the wildcard. This seems to occur because the specific host's name gets resolved to an IP address during the SocketPermission comparison, preventing a successful endsWith check against the wildcard host.
---------- BEGIN SOURCE ----------
import java.security.CodeSource;
import java.net.URL;
public class TestWildcardHost {
public static void main(String[] args) throws Exception {
URL thisURL = new URL("http", "*.example.com", "/file");
URL thatURL = new URL("http", "www.example.com", "/file");
System.out.println(thisURL);
System.out.println(thatURL);
CodeSource thisCs = new CodeSource(thisURL,(java.security.cert.Certificate[]) null);
CodeSource thatCs = new CodeSource(thatURL, (java.security.cert.Certificate[])null);
boolean result = thisCs.implies(thatCs); // expect true
if (!result) {
throw new RuntimeException("*.example.com can't implies www.example.com");
}
}
}
---------- END SOURCE ----------
- links to
-
Review(master)
openjdk/jdk/25991