On Thu, 15 Aug 2024 20:28:28 GMT, Dhamoder Nalla <dhana...@openjdk.org> wrote:
>> Use the GetTempPath2 APIs instead of the GetTempPath APIs in native code >> across the OpenJDK repository to retrieve the temporary directory path, as >> GetTempPath2 provides enhanced security. While GetTempPath may still >> function without errors, using GetTempPath2 reduces the risk of potential >> exploits for users. >> >> >> The code to dynamically load GetTempPath2 is duplicated due to the following >> reasons. I would appreciate any suggestions to remove the duplication where >> possible: >> >> 1. The changes span across four different folders—java.base, jdk.package, >> jdk.attach, and hotspot—with no shared code between them. >> 2. Some parts of the code use version A, while others use version W (ANSI >> vs. Unicode). >> 3. Some parts of the code are written in C others in C++. > > Dhamoder Nalla has updated the pull request incrementally with one additional > commit since the last revision: > > fix missing code OK thanks, so the change only affects SYSTEM accounts, and such accounts already see a different temp path to non-SYSTEM accounts. Newer and older Java versions run by a SYSTEM account will have different temp paths, therefore the hsperfdata_username will be in a different place. (I was being picky about attach, but it's a universal thing which is expected to work across different Java versions.) Do we have any apps commonly run as a Windows SYSTEM account which expect to attach to other Java apps run by a different Java version? You're suggesting that will have no impact and agreed it would seem really unusual. 8-) ------------- PR Comment: https://git.openjdk.org/jdk/pull/20600#issuecomment-2343034670
