[RFR] 8205525 : Improve exception messages during manifest parsing of jar archives
Alan Bateman
Alan.Bateman at oracle.com
Wed Jul 11 11:12:26 UTC 2018
On 10/07/2018 10:53, Baesken, Matthias wrote:
> Hi Alan, thanks for commenting on this .
>
> Jaikiran mentioned that printing just the jar file name and not file with path might be okay :
>
>> I am not a reviewer and neither do I have enough knowledge about whether
>> jar/file _names_ are considered security sensitive. However, the patch
>> that's proposed for this change, prints the file _path_ (and not just
>> the name). That I believe is security sensitive.
> What do you think ?
>
In the ZipFile API, the "name" may include path information but if you
strip that and include just the file name then it should be okay. A
useful way to think about is the information revealed when a HTTP
response serves up a tasty stack trace.
-Alan.
More information about the core-libs-dev
mailing list