Hi, I scanned all the changes we did to exception messages in our internal VM, see below. We print paths and sockets in a row of places, but also other information. It's wide spread, while most is in java.base.
We plan to contribute these messages in the near future. Thus it'll be useful if the property can be reused whenever some of this information is rated security relevant. Best regards, Goetz. java/io/FileOutputStream.java java/io/RandomAccessFile.java path java.base/unix/native/libjava/UnixFileSystem_md.c java.base/windows/native/libjava/WinNTFileSystem_md.c path java/util/jar/Manifest.java java/util/jar/Attributes.java path, position in file java/util/Timer.java print the errornous values (delay, period, time) jdk/internal/org/objectweb/asm/MethodWriter.java length of too long bytecode code libverify/check_code.c position of error, errroneous types java.base/share/native/libzip/zip_util.c path to zipped file java.base/share/native/libzip/zlib/inflate.c zip version information java.base/unix/native/libnet/Inet6AddressImpl.c java.base/share/native/libnet/net_util.c java.base/unix/native/libnet/PlainDatagramSocketImpl.c java.base/unix/native/libnet/PlainSocketImpl.c java.base/unix/native/libnet/SocketInputStream.c java.base/unix/native/libnet/SocketOutputStream.c java.base/windows/native/libnet/DualStackPlainDatagramSocketImpl.c java.base/windows/native/libnet/DualStackPlainSocketImpl.c Information about sockets java.base/unix/native/libnio/ch/DatagramChannelImpl.c java.base/unix/native/libnio/ch/DatagramDispatcher.c socket java.base/unix/native/libnio/ch/FileChannelImpl.c size, protection codes of memory, file, java.desktop/unix/native/libawt_xawt/awt/awt_GraphicsEnv.c more detailed information about DISPLAY jdk.httpserver/share/classes/sun/net/httpserver/ServerImpl.java inet address jdk.zipfs/share/classes/jdk/nio/zipfs/ZipFileSystem.java path > -----Original Message----- > From: core-libs-dev [mailto:core-libs-dev-boun...@openjdk.java.net] On > Behalf Of Chris Hegarty > Sent: Freitag, 20. Juli 2018 13:38 > To: core-libs-dev <core-libs-...@openjdk.java.net>; Security Dev OpenJDK > <security-dev@openjdk.java.net> > Subject: RFR [11] 8207846: Generalize the jdk.net.includeInExceptions > security property > > JDK-8204233 added a new security property, `jdk.net.includeInExceptions`, > to include additional, potentially security sensitive, information in > exception detail messages in the networking area. The property accepts a > comma separated list of values that specifies the particular type of > extra detail information to add. > > Since its addition, in JDK 11, further uses have arisen to include > additional, potentially security sensitive, information in exception > detail messages in other areas, namely the java.util.jar APIs. See > JDK-8205525, and http://mail.openjdk.java.net/pipermail/core-libs- > dev/2018-July/054284.html > > Given that this mechanism will likely be used more generally across > different parts of the platform, it seem prudent to rename the property > to be less area-specific, thus allowing for additional argument values > to be specified, like for example `jarPath`. > > The following are the suggested changes to the java.security file: > > $ hg extdiff -p diff -o -C1 src/java.base/share/conf/security/java.security > *** 1062,1074 **** > > # > ! # Enhanced exception message text > # > ! # By default, socket exception messages do not include potentially sensitive > ! # information such as hostnames or port numbers. This property may be set > to one > ! # or more values, separated by commas, and with no white-space. Each > value > ! # represents a category of enhanced information. Currently, the only > category defined > ! # is "hostInfo" which enables more detailed information in the IOExceptions > ! # thrown by java.net.Socket and also the socket types in the > java.nio.channels package. > ! # The setting in this file can be overridden by a system property of the > same > name > ! # and with the same syntax and possible values. > ! #jdk.net.includeInExceptions=hostInfo > --- 1062,1084 ---- > > + > + # > + # Enhanced exception message information > + # > + # By default, several exception messages do not include potentially > sensitive > + # information such as file names, host names, or port numbers. This > property may > + # be used to enable categories of enhanced information in exception > messages. > + # The property accepts one or more comma separated values, each of > which > + # represents a category of enhanced exception message information to > enable. > + # Values are case-insensitive. Leading and trailing whitespaces, surrounding > + # each value, are ignored. Unknown values are ignored. > + # > + # The categories, to enable enhanced exception message information, are: > + # > + # hostInfo - IOExceptions thrown by java.net.Socket and also the socket > types > + # in the java.nio.channels package will contain enhanced > exception > + # message information > # > ! # The property setting in this file can be overridden by a system property > of > ! # the same name, with the same syntax and possible values. > # > ! #jdk.includeInExceptions=hostInfo > > > Full webrev: > http://cr.openjdk.java.net/~chegar/8207846/webrev.00/ > > -Chris. > > P.S. It appears that jtreg does not support quoted system property values > with spaces on the @run line. I’ll file an issue against jtreg for this.
