On Thu, 4 Dec 2025 17:32:47 GMT, Weijun Wang <[email protected]> wrote:
>> Hi @wangweij, indeed is a fair and interesting point of view! >> >> I like the idea of not doing any resolution at all to get rid of the >> possible problems. But let me do a similar test with some other programs >> supporting include directives in their configuration files (such as >> [OpenSSL](https://www.openssl.org/docs/man1.1.1/man5/config.html#:~:text=Other%20files%20can,ignore%20the%20include%2e), >> >> [OpenSSH](https://man7.org/linux/man-pages/man5/ssh_config.5.html#Include:~:text=it%2e-,Include,inclusion%2e), >> [Git](https://git-scm.com/docs/git-config#_includes) and [Apache HTTP >> Server](https://httpd.apache.org/docs/2.4/mod/core.html#include)), to >> collect more real world examples (beyond C includes which you already >> tested). >> >> Regarding the backward compatibility, this is not the main use case, and if >> we could back-port that to 25 in the future, we would get the same behavior >> in all the supported JDKs shipping >> [JDK-8319332](https://bugs.openjdk.org/browse/JDK-8319332 "Security >> properties files inclusion") (as 24 reached end of support). >> >> Would you think that such a change requires a CSR? If that's the case I >> would support the change but in a separate enhancement, so we can get this >> bug fixed in 26. > > Yes, it's good to see how this behaves on other programs, especially in > configuration files. I know `krb5.conf` also supports it but it requires the > included file having an absolute path. > >> Would you think that such a change requires a CSR? > > Maybe not. I see nowhere in its description in `java.security` talking about > relative path resolution, so you have no specification to update. > > A release note is enough, IMO. Git behaves as C, it doesn't resolve symlinks: # Backup user's config and prepare git config files mv ~/.gitconfig{,.bak} cat >/tmp/main.config <<'EOF' [include] path = included.config EOF cat >/tmp/included.config <<'EOF' [section] key = "/tmp/included.config was included" EOF cat >~/included.config <<'EOF' [section] key = "~/included.config was included" EOF # Link ~/.gitconfig -> /tmp/main.config ln -s /tmp/main.config ~/.gitconfig # Check which file is included (ensure CWD is anything else) git -C / config section.key # Cleanup and restore user's config rm ~/.gitconfig ~/included.config /tmp/included.config /tmp/main.config mv ~/.gitconfig{.bak,} Output: ~/included.config was included ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/24465#discussion_r2593849381
