[RFR] 8205525 : Improve exception messages during manifest parsing of jar archives
Baesken, Matthias
matthias.baesken at sap.com
Tue Jul 10 09:53:12 UTC 2018
Hi Alan, thanks for commenting on this .
Jaikiran mentioned that printing just the jar file name and not file with path might be okay :
> I am not a reviewer and neither do I have enough knowledge about whether
> jar/file _names_ are considered security sensitive. However, the patch
> that's proposed for this change, prints the file _path_ (and not just
> the name). That I believe is security sensitive.
What do you think ?
Best regards, Matthias
> -----Original Message-----
> From: Alan Bateman [mailto:Alan.Bateman at oracle.com]
> Sent: Sonntag, 8. Juli 2018 09:36
> To: Baesken, Matthias <matthias.baesken at sap.com>; core-libs-
> dev at openjdk.java.net
> Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>
> Subject: Re: [RFR] 8205525 : Improve exception messages during manifest
> parsing of jar archives
>
> On 06/07/2018 13:44, Baesken, Matthias wrote:
> > Hi Alan ,so it looks like JDK-8204233 added a switch (system property) to
> enable the enhanced socket IOException messages .
> >
> > That would be an option as well for 8205525 .
> Yes, it's documented in conf/security/java.security and something
> equivalent could be done here. The giveaway in your original patch is
> that it needed a privileged block to create the exception message.
>
> >
> > 8205525 adds the jar file name and the line number info to the
> exception message .
> >
> > In case that only the jar file name would be considered sensitive , I would
> prefer to just output the line number (and omit the system property ).
> >
> That should be okay (I can't think of any concerns).
>
> -Alan
More information about the core-libs-dev
mailing list