santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Mullan <Sean.Mul...@Sun.COM>
Subject Re: 1.4.3 bugzilla triage
Date Fri, 10 Jul 2009 14:15:02 GMT
Colm O hEigeartaigh wrote:
> Here's an updated bugzilla triage for the forthcoming 1.4.3 release.
> Most of the issues mentioned in my previous mail have been fixed. The
> remaining issues are:
> 
> 1. https://issues.apache.org/bugzilla/show_bug.cgi?id=44918
> 
> Some security concerns were raised about the supplied patch. It would be
> nice to fix it I guess, but time's running out...

I'm not satisfied with the proposed patch as it contains a security hole. See 
http://java.sun.com/security/seccodeguide.html#6-0 for more information. It can 
allow untrusted code to control the xmlsec configuration by passing in the name 
of a configFile which will then be opened inside a doPrivileged block. I think 
we should hold off on this until I have more time to think about a better solution.

> 2. "==" versus "equals" problem.
> 
> As I mentioned in one of the comments I have a fix for the problem of
> not being able to specify what ElementChecker implementation to use. The
> problem is that there are many more pointer comparisons in the source
> code, and I don't think there's any point half-fixing the problem. I
> vote that we punt on this issue until after 1.4.3.

Ok with me.

> 3. https://issues.apache.org/bugzilla/show_bug.cgi?id=42239
> 
> There are two patches that need to be applied for this issue. Sean, can
> you have a scan of the patch I supplied, particularly the copyright
> information on top of the Apache License in the ResourceResolver
> implementation (which was adapter from another patch for this issue). I
> think it's ok, but I just want to confirm. If it's ok then I'll commit
> the patches.

I'll take a look and get back to you.

> 4. https://issues.apache.org/bugzilla/show_bug.cgi?id=47459
> 
> I haven't really had time to look at this issue yet. 

Not have I. I will try to have a look later today.

--Sean

Mime
View raw message