On Fri, 5 Dec 2025 22:34:26 GMT, Francisco Ferrari Bihurriet <[email protected]> wrote:
>> Apache HTTP Server [resolves against the defined `ServerRoot` >> directory](https://httpd.apache.org/docs/current/mod/core.html#include:~:text=Or%2C%20providing%20paths,conf/vhosts/*.conf): >>> Or, providing paths relative to your >>> [`ServerRoot`](https://httpd.apache.org/docs/current/mod/core.html#serverroot) >>> directory: >>> >>> Include conf/ssl.conf >>> Include conf/vhosts/*.conf > > I have pushed the changes to proceed without resolution > (9f298af59431507a66e3141c54abb59fcf3666f6, > 2a012397baf0599e7dbe209975b3b353c3de5617, > 1178544bda12bb4a6cd4d4400dad618292f29151, > c33bf62c2831acefd90ec476fcfb6d853be873ee). > > Since we are no longer resolving paths, we can incur in some relative paths > complexity, which is perhaps not very friendly in debug message logs. Each > relative include can potentially introduce some `../`, which will accumulate > if paths are not resolved. > > So we can end with paths like the following one: > > /basedir/jdk/conf/security/../../../properties/dir1/../../jdk/conf/security/other.properties > > > Which could be simply logged as: > > /basedir/jdk/conf/security/other.properties > > > So even when I already adjusted the test case, is perhaps better to undo the > test changes and try to beautify the paths in debugging messages (but with > `LinkOption.NOFOLLOW_LINKS`, to avoid confusion): > > diff --git a/src/java.base/share/classes/java/security/Security.java > b/src/java.base/share/classes/java/security/Security.java > index 36021f42862..533072b0d08 100644 > --- a/src/java.base/share/classes/java/security/Security.java > +++ b/src/java.base/share/classes/java/security/Security.java > @@ -311,8 +311,13 @@ private static void loadFromUrl(URL url, LoadingMode > mode) > private static void debugLoad(boolean start, Object source) { > if (sdebug != null) { > + if (source instanceof Path path) { > + try { > + source = path.toRealPath(LinkOption.NOFOLLOW_LINKS); > + } catch (IOException ignore) {} > + } > int level = activePaths.isEmpty() ? 1 : activePaths.size(); > sdebug.println((start ? > ">".repeat(level) + " starting to process " : > "<".repeat(level) + " finished processing ") + > source); > } > } > > > > NOTE: even with `LinkOption.NOFOLLOW_LINKS`, `path.toRealPath()` fails for > the problematic cases, so it would be just a best effort to make the paths > clearer for the user. > > What do you think? I thought `normalize` will remove those `..` inside? ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/24465#discussion_r2595863996
