Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8043296

De-privilege DNS name service provider

    XMLWordPrintable

    Details

      Description

      DNS name service provider is installed in the extension directory and currently granted with AllPermission. A service provider implementation should need SocketPermission and not need AllPermission.

      The prototype to change the permissions for dnsns.jar uncovers a circular problem in networking security when performing a security check, SocketPermission will first resolve a name to get the IP address. When there is a DNS nameservice provider not with AllPermission, checking the SocketPermission will iterate each name service provider to get address (in this case it's the DNSNameService) that triggers another socket permission check. When it used to have AllPermission, the socket permission check was fast-path and I think it's the first time running into this problem when we change the permissions for dnsns.jar.

      This is to follow up to evaluate the permissions required by DNS name service provider.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              chegar Chris Hegarty
              Reporter:
              mchung Mandy Chung
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: