[PATCH] for error message not containing file name of jar with bad manifest
Sean Mullan
sean.mullan at oracle.com
Tue Jan 8 18:07:07 UTC 2019
In this case, the caller is passing in the filename through the public
JarFile API so as long as it is not modified it should be ok. The
concerns I raised previously are situations where the caller did not
pass in the file or the JDK converts a relative path to an absolute
path, which could reveal sensitive details about the filesystem.
--Sean
On 1/8/19 9:27 AM, Roger Riggs wrote:
> Hi,
>
> Even though this is a bug fix, the security concerns about putting the
> full pathnames of files
> in exceptions should be considered. I would be fine with putting only
> the filename (no path) in the message.
>
> If a typo is in scope: line 89 "occured" -> "occurred".
>
> Thanks, Roger
>
>
> On 01/08/2019 07:15 AM, Lance Andersen wrote:
>> Hi Philipp,
>>
>> I created JDK-8216362 and will look to address later today or tomorrow
>>
>> Best
>> Lance
>>> On Jan 8, 2019, at 1:24 AM, Philipp Kunz <philipp.kunz at paratix.ch>
>>> wrote:
>>>
>>> Hi Lance,
>>>
>>> I also see fit for a new bug. But I cannot create it now because I
>>> cannot log in to Jira and don't know how else to create one and I
>>> don't have the slightest idea how to get such a privilege. Could you
>>> give me a hint how to proceed?
>>>
>>> Philipp
>>>
>>> On Mon, 2019-01-07 at 18:05 -0500, Lance Andersen wrote:
>>>> Hi Philipp,
>>>>
>>>> I would like to suggest a new bug for this so if you can do that I
>>>> can sponsor the proposed change
>>>>
>>>> Thank you
>>>>> On Jan 7, 2019, at 5:39 PM, Philipp Kunz <philipp.kunz at paratix.ch
>>>>> <mailto:philipp.kunz at paratix.ch>> wrote:
>>>>>
>>>>> <8205525.patch>
>>>> <oracle_sig_logo.gif>
>>>> <http://oracle.com/us/design/oracle-email-sig-198324.gif>
>>>> <http://oracle.com/us/design/oracle-email-sig-198324.gif>
>>>> <http://oracle.com/us/design/oracle-email-sig-198324.gif>
>>>> <http://oracle.com/us/design/oracle-email-sig-198324.gif>Lance
>>>> Andersen| Principal Member of Technical Staff | +1.781.442.2037
>>>> Oracle Java Engineering
>>>> 1 Network Drive
>>>> Burlington, MA 01803
>>>> Lance.Andersen at oracle.com <mailto:Lance.Andersen at oracle.com>
>>>>
>>>>
>>>>
>> <http://oracle.com/us/design/oracle-email-sig-198324.gif>
>> <http://oracle.com/us/design/oracle-email-sig-198324.gif>
>> <http://oracle.com/us/design/oracle-email-sig-198324.gif>
>> <http://oracle.com/us/design/oracle-email-sig-198324.gif>Lance
>> Andersen| Principal Member of Technical Staff | +1.781.442.2037
>> Oracle Java Engineering
>> 1 Network Drive
>> Burlington, MA 01803
>> Lance.Andersen at oracle.com <mailto:Lance.Andersen at oracle.com>
>>
>>
>>
>
More information about the core-libs-dev
mailing list