On Fri, 24 Sep 2021 19:49:14 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> This code change removes weak etypes from the default list so it's safer to >> enable one of them. See the corresponding CSR at >> https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, >> please review the CSR as well. > > src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java > line 242: > >> 240: // used in Config >> 241: public static int[] getBuiltInDefaults() { >> 242: return defaultETypes; > > It might be safer to return a clone here since it is mutable. The previous > code always returned a new array. This array gets passed back to calling code > via Etype.getDefaults(), returning a clone would prevent the configured value > from being accidentally modified. OK. ------------- PR: https://git.openjdk.java.net/jdk/pull/5654
