Bug ID: JDK-6243826 Use of File.toURL in com/sun/security/auth/PolicyFile.java

Type: Bug
Component: security-libs
Sub-Component: java.security
Affected Version: 6

Priority: P4
Status: Closed
Resolution: Won't Fix
OS: generic
CPU: generic

Submitted: 2005-03-21
Updated: 2012-01-11
Resolved: 2005-03-22

The following class use File.toURL:

  com/sun/security/auth/PolicyFile.java

Be advised that as of JDK1.4, java.io.File.toURL is effectively deprecated. It is known to not handle special characters correctly, e.g. "/tmp/a#b" becomes "file:/tmp/a#b" which is incorrect (the '#' should have been escaped); some filenames can produce illegal URLs.  Bug 6179468 requests that the method be officially deprecated for Mustang.

In past releases, we've tried to "fix" File.toURL (see 4273532) and have reverted to the present behaviour because of insurmountable compatibility issues.  That bug was finally closed "will not fix" after several attemtps to fix it.  We do not expect to change the present behaviour of File.toURL.  

Please review the use of this method in your code.  Regardless of whether File.toURL is deprecated, it is possible that there may be a latent bug your class.  If you always expect this call to return a valid URL, then the recommended practice is to use File.toURI().toURL().  

If you have any questions, please feel free to contact me.

Thanks,

###@###.### 2005-03-21 21:21:39 GMT

EVALUATION yes, thanks we are aware of the toURL issue and have already fixed the relevant code inside of sun.security.provider.PolicyFile. com.sun.security.auth.PolicyFile has been deprecated since 1.4. we have not been maintaining this code since users hopefully have migrated to sun.security.provider.PolicyFile. so we will not fix this at this point in time. ###@###.### 2005-03-22 21:38:26 GMT

21-03-2005

Relates :	JDK-6179468 - (spec) File.toURL should be @deprecated
Relates :	JDK-4273532 - toURL() method in File class needs to escape excluded URL characters