RFR: 8345431: Detect duplicate entries in jar files with jar --validate

[Henry Jen]

On Fri, 4 Apr 2025 12:39:47 GMT, Lance Andersen <lancea at openjdk.org> wrote:

>> This PR check the jar file to ensure entries are consistent from the central directory and local file header. Also check there is no duplicate entry names that could override the desired content by accident.
>
> src/jdk.jartool/share/classes/sun/tools/jar/Validator.java line 99:
> 
>> 97:                 if (!entryNames.contains(entryName)) {
>> 98:                     missingEntryNames.add(entryName);
>> 99:                 }
> 
> It looks like you are checking to see if the LOC entry contains within the CEN but I don't see if you are checking if the CEN entry is contained in the LOC
> 
> Another facet of validation is to compare the ordering of entries between the LOC and CEN

Is the ordering required by ZIP or Jar format? We can certainly do that if that's under spec and not an implementation detail.

> src/jdk.jartool/share/classes/sun/tools/jar/resources/jar.properties line 147:
> 
>> 145:         in incompatible public interfaces
>> 146: warn.validator.duplicate.entry=\
>> 147:         Warning: More than one copy of {0} is detected
> 
> How do we know if the duplicate entry is in the CEN or LOC?

I can add more specific message if that's preferred. I am not expecting user/developer to know about file format details.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24430#discussion_r2029080880
PR Review Comment: https://git.openjdk.org/jdk/pull/24430#discussion_r2029083361