Hi Alan, thanks for commenting on this . Jaikiran mentioned that printing just the jar file name and not file with path might be okay :
I am not a reviewer and neither do I have enough knowledge about whether jar/file _names_ are considered security sensitive. However, the patch that's proposed for this change, prints the file _path_ (and not just the name). That I believe is security sensitive.
What do you think ? Best regards, Matthias
-----Original Message----- From: Alan Bateman [mailto:Alan.Bateman@oracle.com] Sent: Sonntag, 8. Juli 2018 09:36 To: Baesken, Matthias <matthias.baesken@sap.com>; core-libs- dev@openjdk.java.net Cc: Lindenmaier, Goetz <goetz.lindenmaier@sap.com> Subject: Re: [RFR] 8205525 : Improve exception messages during manifest parsing of jar archives
On 06/07/2018 13:44, Baesken, Matthias wrote:
Hi Alan ,so it looks like JDK-8204233 added a switch (system property) to enable the enhanced socket IOException messages .
That would be an option as well for 8205525 . Yes, it's documented in conf/security/java.security and something equivalent could be done here. The giveaway in your original patch is that it needed a privileged block to create the exception message.
8205525 adds the jar file name and the line number info to the
exception message .
In case that only the jar file name would be considered sensitive , I would
prefer to just output the line number (and omit the system property ).
That should be okay (I can't think of any concerns).
-Alan