On Fri, 5 Feb 2021 11:50:01 GMT, Jayashree S Kumar <github.com+31532647+jay...@openjdk.org> wrote:
>> Issue >> >> https://bugs.openjdk.java.net/browse/JDK-8243376 >> >> Problem >> >> The scenario is: >> - Some specified target hostname resolves to two IP addresses (always the >> same address pair). >> - The DNS resolved order of the two ip addresses changes (a usual >> LoadBalancer type behavior). >> - The CNAME of the two ip addresses differ. >> >> In SocketPermission class(void getIP() method), it internally resolves and >> saves only the first IP address resolved, not all the IP addresses resolved. >> - Depending on when the implier/implied SocketPermission hostname is >> resolved, the resolved addresses order differs, and the internally saved IP >> address mismatches, resulting on SocketPermission#implies() false. >> >> >> Michael McMahon kindly reviewed and suggested changes: >> https://mail.openjdk.java.net/pipermail/net-dev/2020-May/014001.html > > Jayashree S Kumar has updated the pull request incrementally with one > additional commit since the last revision: > > Code Review: cname made array accounting for multiple cname values Changes requested by michaelm (Reviewer). src/java.base/share/classes/java/net/SocketPermission.java line 674: > 672: } > 673: } catch (UnknownHostException uhe) { > 674: invalid = true; The try() catch{} should be inside the for loop because each lookup failure should be handled independently. If any of them fails then set that cnames entry to null. The check for cname in the match() method needs to check for null and return false in that case. At the end of the loop then check if at least one cname exists. If there are none, then invalid can be set to true. ------------- PR: https://git.openjdk.java.net/jdk/pull/1916
