[RFR] 8216362: Incorrect jar file error message when there is an invalid manifest
Sean Mullan
sean.mullan at oracle.com
Wed Jan 9 20:46:31 UTC 2019
Looks good.
--Sean
On 1/9/19 3:42 PM, Lance Andersen wrote:
> Here is the webrev for the changes:
>
> http://cr.openjdk.java.net/~lancea/8216362/webrev.00/index.html
>
> Best
> Lance
>> On Jan 9, 2019, at 12:13 PM, Sean Mullan <sean.mullan at oracle.com
>> <mailto:sean.mullan at oracle.com>> wrote:
>>
>> On 1/8/19 7:17 PM, Philipp Kunz wrote:
>>> Manifest.read throws an exception with the jar file name passed to
>>> the constructor the manifest was constructed with and not passed to
>>> the call to the read that throws the exception because the
>>> jarFilename variable is not reset after successful construction with
>>> read and will be used by subsequent calls to read if read is called
>>> (again) after the manifest has been constructed. The call to the
>>> constructor could be in a different context than the call to read and
>>> the jar file name could therefore be exposed in an unexpected
>>> context. After I first thought it was just annoying to get an
>>> unrelated jar file name in an exception message I see now a security
>>> concern as well.
>>
>> That's a good point (and good catch!). I think we need to adjust the
>> code so that if read is called and it throws an Exception it only
>> contains the jar file name if called by the constructors in which the
>> jar file name is passed as a parameter. Perhaps break up the read
>> method into a private and public one with the private one containing
>> an additional boolean parameter that is set to true if called by the
>> constructor, otherwise it is false. If the boolean parameter is true,
>> the jar file name is put in the exception, otherwise it is not.
>>
>> I also think we should fix this in 12, so I raised the priority to 3.
>>
>> --Sean
>>> At first glance and in terms of expectable code changes to the
>>> questionable constructor of Manifest the above mentioned seems to be
>>> overlapping with issue JDK-8216362 but then JDK-8216362 is about the
>>> jar file name missing in an error message when it should be present
>>> and not the other way round. Attached is a patch for JDK-8216362 as
>>> it is described at the moment.
>>> Philipp
>>> On Tue, 2019-01-08 at 13:07 -0500, Sean Mullan wrote:
>>>> In this case, the caller is passing in the filename through the public
>>>> JarFile API so as long as it is not modified it should be ok. The
>>>> concerns I raised previously are situations where the caller did not
>>>> pass in the file or the JDK converts a relative path to an absolute
>>>> path, which could reveal sensitive details about the filesystem.
>>>>
>>>> --Sean
>
> <http://oracle.com/us/design/oracle-email-sig-198324.gif>
> <http://oracle.com/us/design/oracle-email-sig-198324.gif><http://oracle.com/us/design/oracle-email-sig-198324.gif>
> <http://oracle.com/us/design/oracle-email-sig-198324.gif>Lance Andersen|
> Principal Member of Technical Staff | +1.781.442.2037
> Oracle Java Engineering
> 1 Network Drive
> Burlington, MA 01803
> Lance.Andersen at oracle.com <mailto:Lance.Andersen at oracle.com>
>
>
>
More information about the core-libs-dev
mailing list