11 Jul
2018
11 Jul
'18
11:12 a.m.
On 10/07/2018 10:53, Baesken, Matthias wrote:
Hi Alan, thanks for commenting on this .
Jaikiran mentioned that printing just the jar file name and not file with path might be okay :
I am not a reviewer and neither do I have enough knowledge about whether jar/file _names_ are considered security sensitive. However, the patch that's proposed for this change, prints the file _path_ (and not just the name). That I believe is security sensitive. What do you think ?
In the ZipFile API, the "name" may include path information but if you strip that and include just the file name then it should be okay. A useful way to think about is the information revealed when a HTTP response serves up a tasty stack trace. -Alan.