[RFR] 8205525 : Improve exception messages during manifest parsing of jar archives

Jaikiran Pai jai.forums2013 at gmail.com
Sat Jul 7 13:35:11 UTC 2018


Hi Matthias,

I am not a reviewer and neither do I have enough knowledge about whether 
jar/file _names_ are considered security sensitive. However, the patch 
that's proposed for this change, prints the file _path_ (and not just 
the name). That I believe is security sensitive.

-Jaikiran
On 06/07/18 6:14 PM, Baesken, Matthias wrote:
> Hi Alan ,so it looks like JDK-8204233 added a switch (system property) 
> to enable the enhanced socket IOException messages . That would be an 
> option as well for 8205525 . 8205525 adds the jar file name and the 
> line number info to the exception message . In case that only the jar 
> file name would be considered sensitive , I would prefer to just 
> output the line number (and omit the system property ). What do you 
> think ? Best regards, Matthias
>> -----Original Message----- From: Alan Bateman 
>> [mailto:Alan.Bateman at oracle.com] Sent: Montag, 25. Juni 2018 16:52 
>> To: Baesken, Matthias <matthias.baesken at sap.com>; core-libs- 
>> dev at openjdk.java.net Cc: Lindenmaier, Goetz 
>> <goetz.lindenmaier at sap.com> Subject: Re: [RFR] 8205525 : Improve 
>> exception messages during manifest parsing of jar archives On 
>> 25/06/2018 15:29, Baesken, Matthias wrote:
>>> Hi, do you consider both the file name and line number as sensitive ?
>>>> There was a similar discussion on net-dev recently related to 
>>>> leaking host names in exceptions. Something similar may be needed here 
>>> Do you know the outcome of this discussion ? 
>> All the details are in JDK-8204233 and the associated CSR. -Alan



More information about the core-libs-dev mailing list