[RFR] 8205525 : Improve exception messages during manifest parsing of jar archives

Baesken, Matthias matthias.baesken at sap.com
Mon Jul 16 13:53:29 UTC 2018 

Hello,  after latest  comments  from Alan  and Jaikiran    I created a new webrev :

http://cr.openjdk.java.net/~mbaesken/webrevs/8205525.2/

The  jar file path is  now printed  in case   jdk.includeInExceptions   contains   jarpath     (this approach   is "borrowed"   from the enhanced socket exceptions ) .
The line number is always printed .

Best regards, Matthias


> -----Original Message-----
> From: Baesken, Matthias
> Sent: Dienstag, 10. Juli 2018 11:53
> To: 'Alan Bateman' <Alan.Bateman at oracle.com>; core-libs-
> dev at openjdk.java.net; 'jai.forums2013 at gmail.com'
> <jai.forums2013 at gmail.com>
> Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>
> Subject: RE: [RFR] 8205525 : Improve exception messages during manifest
> parsing of jar archives
> 
> Hi Alan, thanks for commenting on this .
> 
> Jaikiran  mentioned that  printing  just  the  jar file name and not file with
> path  might be okay :
> 
> > I am not a reviewer and neither do I have enough knowledge about
> whether
> > jar/file _names_ are considered security sensitive. However, the patch
> > that's proposed for this change, prints the file _path_ (and not just
> > the name). That I believe is security sensitive.
> 
> What do you think ?
> 
> Best regards, Matthias
> 
> 
> > -----Original Message-----
> > From: Alan Bateman [mailto:Alan.Bateman at oracle.com]
> > Sent: Sonntag, 8. Juli 2018 09:36
> > To: Baesken, Matthias <matthias.baesken at sap.com>; core-libs-
> > dev at openjdk.java.net
> > Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>
> > Subject: Re: [RFR] 8205525 : Improve exception messages during manifest
> > parsing of jar archives
> >
> > On 06/07/2018 13:44, Baesken, Matthias wrote:
> > > Hi Alan ,so it looks like    JDK-8204233  added  a switch  (system property)
> to
> > enable the enhanced  socket IOException messages .
> > >
> > > That would be an option as well  for  8205525 .
> > Yes, it's documented in conf/security/java.security and something
> > equivalent could be done here. The giveaway in your original patch is
> > that it needed a privileged block to create the exception message.
> >
> > >
> > > 8205525  adds  the  jar file name  and   the line number  info  to the
> > exception message .
> > >
> > > In case that only  the jar file name  would be considered sensitive ,   I
> would
> > prefer to   just  output  the line number  (and omit the  system property ).
> > >
> > That should be okay (I can't think of any concerns).
> >
> > -Alan

More information about the core-libs-dev mailing list