[RFR] 8205525 : Improve exception messages during manifest parsing of jar archives

Alan Bateman Alan.Bateman at oracle.com
Wed Jul 11 11:12:26 UTC 2018


On 10/07/2018 10:53, Baesken, Matthias wrote:
> Hi Alan, thanks for commenting on this .
>
> Jaikiran  mentioned that  printing  just  the  jar file name and not file with path  might be okay :
>
>> I am not a reviewer and neither do I have enough knowledge about whether
>> jar/file _names_ are considered security sensitive. However, the patch
>> that's proposed for this change, prints the file _path_ (and not just
>> the name). That I believe is security sensitive.
> What do you think ?
>
In the ZipFile API, the "name" may include path information but if you 
strip that and include just the file name then it should be okay. A 
useful way to think about is the information revealed when a HTTP 
response serves up a tasty stack trace.

-Alan.


More information about the core-libs-dev mailing list