On Thu, 2 Nov 2023 22:20:02 GMT, Martin Balao <mba...@openjdk.org> wrote:
>> src/java.base/share/classes/java/security/Security.java line 243:
>>
>>> 241: if (connection instanceof FileURLConnection
>>> fileConnection) {
>>> 242: // A local file URL can be interpreted as a Path
>>> 243: loadFromPath(fileConnection.getFile().toPath(), mode);
>>
>> Ugh, shouldn't be direct using FileURLConnection here. Instead I think you
>> should check if the url scheme is "file" (equalsIgnoreCase). If it is then
>> use `Path.of(url.toURI())`.
>
> Checking for _file_ in the URL scheme is not conclusive evidence that there
> is a local file path behind. I'll give a couple of examples. In Unix/Linux
> platforms, an URL of the form `file://example.com/path/to/some/file.txt` is
> processed with a remote FTP request (see Unix
> `sun.net.www.protocol.file.Handler`). In Windows, file URLs may be
> interpreted as UNCs but, if not possible, there is an FTP fallback (see
> Windows `sun.net.www.protocol.file.Handler`). While checking the host name in
> the URL is possible, there are three types of drawbacks: 1) a DNS query
> during the Security class initialization process should be avoided, 2)
> looking for hardcoded host names such as _localhost_ might lead to false
> negatives (i.e. a host is considered remote when it is not), and 3) there
> will be platform-specific and duplicated logic to deal with UNC file URLs. In
> addition, OpenJDK supports ill-formed relative path file URLs such as
> `file:some/relative/path`. In these cases, there is not a host name
but there is a local file path underneath (relative to the current working
directory). We did not find normative elements in [RFC
8089](https://www.rfc-editor.org/rfc/rfc8089) for all previously described
behaviors, that would have been helpful for a URL-based check. Misinterpreting
a file URL as remote will unnecessarily block the possibility of relative path
includes.
>
> We think that `FileURLConnection` is the most accurate indicator of a local
> file path because it includes the decision logic that is specific to OpenJDK
> and varies depending on the platform.
> Checking for file in the URL scheme is not conclusive evidence that there is
> a local file path behind. I'll give a couple of examples.
With NFS and other other remote file systems then you can never tell either.
Some of us have been wanting the ftp fallback go away, it comes up every few
years.
My concern is creating dependency on a protocol handler implementation, we
should make sure that all other options are explored before going there.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1381179403
