Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8259801: Enable XML Signature secure validation mode by default #2197

Closed
wants to merge 3 commits into from

Conversation

@seanjmullan
Copy link
Member

@seanjmullan seanjmullan commented Jan 22, 2021

This change enables the XML Signature secure validation mode by default. This will improve out of the box security by restricting signatures that contain potentially unsafe content by default.

Please also review the CSR: https://bugs.openjdk.java.net/browse/JDK-8260154


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

  • JDK-8259801: Enable XML Signature secure validation mode by default

Reviewers

Download

$ git fetch https://git.openjdk.java.net/jdk pull/2197/head:pull/2197
$ git checkout pull/2197

@bridgekeeper
Copy link

@bridgekeeper bridgekeeper bot commented Jan 22, 2021

👋 Welcome back mullan! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added the rfr label Jan 22, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Jan 22, 2021

@seanjmullan The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security label Jan 22, 2021
@seanjmullan
Copy link
Member Author

@seanjmullan seanjmullan commented Jan 22, 2021

/csr

@openjdk openjdk bot added the csr label Jan 22, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Jan 22, 2021

@seanjmullan this pull request will not be integrated until the CSR request JDK-8260154 for issue JDK-8259801 has been approved.

@seanjmullan
Copy link
Member Author

@seanjmullan seanjmullan commented Jan 22, 2021

/assignee mullan

@openjdk
Copy link

@openjdk openjdk bot commented Jan 22, 2021

@seanjmullan Unknown command assignee - for a list of valid commands use /help.

@seanjmullan
Copy link
Member Author

@seanjmullan seanjmullan commented Jan 22, 2021

/assignee seanjmullan

@openjdk
Copy link

@openjdk openjdk bot commented Jan 22, 2021

@seanjmullan Unknown command assignee - for a list of valid commands use /help.

@seanjmullan
Copy link
Member Author

@seanjmullan seanjmullan commented Jan 22, 2021

/help

@openjdk
Copy link

@openjdk openjdk bot commented Jan 22, 2021

@seanjmullan Available commands:

  • cc - add or remove an additional classification label
  • contributor - adds or removes additional contributors for a PR
  • covered - used when employer has signed the OCA
  • csr - require a compatibility and specification request (CSR) for this pull request
  • help - shows this text
  • integrate - performs integration of the changes in the PR
  • issue - edit the list of issues that this PR solves
  • label - add or remove an additional classification label
  • reviewer - manage additional reviewers for a PR
  • reviewers - set the number of additional required reviewers for this PR
  • signed - used after signing the OCA
  • solves - edit the list of issues that this PR solves
  • sponsor - performs integration of a PR that is authored by a non-committer
  • summary - updates the summary in the commit message
  • test - used to run tests

@mlbridge
Copy link

@mlbridge mlbridge bot commented Jan 22, 2021

Webrevs

@openjdk openjdk bot removed the csr label Jan 27, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Jan 27, 2021

@seanjmullan This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8259801: Enable XML Signature secure validation mode by default

Reviewed-by: weijun, rhalade

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 20 new commits pushed to the master branch:

  • 20e7df5: 8260466: Test TestHeapDumpOnOutOfMemoryError.java needs multiple @test sections
  • 11d6467: 8260407: cmp != __null && cmp->Opcode() == Op_CmpL failure with -XX:StressLongCountedLoop=200000000 in lucene
  • d07af2b: 8255531: MethodHandles::permuteArguments throws NPE when duplicating dropped arguments
  • a68c6c2: 8260579: PPC64 and S390 builds failures after JDK-8260467
  • 8752257: 8260502: [s390] NativeMovRegMem::verify() fails because it's too strict
  • 8fe1323: 8260520: Avoid getting permissions in JarFileFactory when no SecurityManager installed
  • ecde52e: 8260506: VersionHelper cleanup
  • a97aedf: 8256215: Shenandoah: re-organize saving/restoring machine state in assembler code
  • 316d52c: 8260497: Shenandoah: Improve SATB flushing
  • 11a70d1: 8260426: awt debug_mem.c DMem_AllocateBlock might leak memory
  • ... and 10 more: https://git.openjdk.java.net/jdk/compare/0eed2c3312fbb5e06bb9c41b4d210790bd1822a4...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready label Jan 27, 2021
@seanjmullan
Copy link
Member Author

@seanjmullan seanjmullan commented Jan 28, 2021

/integrate

@openjdk openjdk bot closed this Jan 28, 2021
@openjdk openjdk bot added integrated and removed ready rfr labels Jan 28, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Jan 28, 2021

@seanjmullan Since your change was applied there have been 20 commits pushed to the master branch:

  • 20e7df5: 8260466: Test TestHeapDumpOnOutOfMemoryError.java needs multiple @test sections
  • 11d6467: 8260407: cmp != __null && cmp->Opcode() == Op_CmpL failure with -XX:StressLongCountedLoop=200000000 in lucene
  • d07af2b: 8255531: MethodHandles::permuteArguments throws NPE when duplicating dropped arguments
  • a68c6c2: 8260579: PPC64 and S390 builds failures after JDK-8260467
  • 8752257: 8260502: [s390] NativeMovRegMem::verify() fails because it's too strict
  • 8fe1323: 8260520: Avoid getting permissions in JarFileFactory when no SecurityManager installed
  • ecde52e: 8260506: VersionHelper cleanup
  • a97aedf: 8256215: Shenandoah: re-organize saving/restoring machine state in assembler code
  • 316d52c: 8260497: Shenandoah: Improve SATB flushing
  • 11a70d1: 8260426: awt debug_mem.c DMem_AllocateBlock might leak memory
  • ... and 10 more: https://git.openjdk.java.net/jdk/compare/0eed2c3312fbb5e06bb9c41b4d210790bd1822a4...master

Your commit was automatically rebased without conflicts.

Pushed as commit baf46ba.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants