[RFR] 8205525 : Improve exception messages during manifest parsing of jar archives

Baesken, Matthias matthias.baesken at sap.com
Tue Jul 10 09:53:12 UTC 2018


Hi Alan, thanks for commenting on this .

Jaikiran  mentioned that  printing  just  the  jar file name and not file with path  might be okay :

> I am not a reviewer and neither do I have enough knowledge about whether 
> jar/file _names_ are considered security sensitive. However, the patch 
> that's proposed for this change, prints the file _path_ (and not just 
> the name). That I believe is security sensitive.

What do you think ?

Best regards, Matthias


> -----Original Message-----
> From: Alan Bateman [mailto:Alan.Bateman at oracle.com]
> Sent: Sonntag, 8. Juli 2018 09:36
> To: Baesken, Matthias <matthias.baesken at sap.com>; core-libs-
> dev at openjdk.java.net
> Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>
> Subject: Re: [RFR] 8205525 : Improve exception messages during manifest
> parsing of jar archives
> 
> On 06/07/2018 13:44, Baesken, Matthias wrote:
> > Hi Alan ,so it looks like    JDK-8204233  added  a switch  (system property)  to
> enable the enhanced  socket IOException messages .
> >
> > That would be an option as well  for  8205525 .
> Yes, it's documented in conf/security/java.security and something
> equivalent could be done here. The giveaway in your original patch is
> that it needed a privileged block to create the exception message.
> 
> >
> > 8205525  adds  the  jar file name  and   the line number  info  to the
> exception message .
> >
> > In case that only  the jar file name  would be considered sensitive ,   I would
> prefer to   just  output  the line number  (and omit the  system property ).
> >
> That should be okay (I can't think of any concerns).
> 
> -Alan


More information about the core-libs-dev mailing list