On Wed, 9 Mar 2022 14:23:24 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> Michael McMahon has updated the pull request incrementally with two >> additional commits since the last revision: >> >> - update >> - update after first review round > > src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java > line 99: > >> 97: // A net property which overrides the disabled set above. >> 98: private static final String enabledAlgPropName = >> 99: "http.auth.digest.enabledAlgorithms"; > > I'm not familiar with the practice of overriding a security property with a > net property. Just FYI, in security libs, we often override a security > property with a system property and we have a dedicated method for this at > https://github.com/openjdk/jdk/blob/6765f902505fbdd02f25b599f942437cd805cad1/src/java.base/share/classes/sun/security/util/SecurityProperties.java#L46. A net property can be a system property. But, it can also be specified in the net.properties file. We're using different names for the security and net property as the security property specifies algortithms to be disabled and the net property ones to be (re)enabled. > src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java > line 232: > >> 230: ? StandardCharsets.UTF_8 >> 231: : StandardCharsets.ISO_8859_1; >> 232: } > > Do you want to reject other values? According to the RFC, `utf-8` is the only > valid one. You mean reject the whole response as a protocol error? I guess we probably should do that. ------------- PR: https://git.openjdk.java.net/jdk/pull/7688
