RFR 8216401 : Allow "file:" URLs in Class-Path of local JARs

Alan Bateman Alan.Bateman at oracle.com
Sun Jan 13 10:07:27 UTC 2019


On 11/01/2019 18:35, Brent Christian wrote:
> Hi,
>
> Please review my change for 8216401[1].
>
> Webrev:
> http://cr.openjdk.java.net/~bchristi/8216401/webrev-01/
>
> The Class-Path section of the JAR spec[2] states that entries must be 
> relative URLs, however this hasn't been enforced for most of Java's 
> history.  There is now code to enforce this, though it is disabled by 
> default for compatibility.
>
> It has come to light that there are some widely-used libraries that 
> misuse the Class-Path attribute, by including absolute "file:" URL 
> entries.  In the interest of compatibility with this long-standing 
> behavior, "file:" entries in the Class-Path of JARs loaded from the 
> local disk should be allowed.
>
> This change will not affect the current default behavior, but 
> hopefully in the near future, the Class-Path enforcement code can be 
> enabled by default, and the change be reflected in the JAR spec[3].
The changes to URLClassPath look okay. When it comes to enabling the 
checking by default then we should do it as early as possible in a 
release to get as much testing as possible. We've seen this attribute 
been misused by tools that add it with a value of an absolute URLs or 
even file paths rather than URLs. It's possible these tools are 
inserting file paths with Windows drive letters that might fall foul of 
the checking. Also there might be cases where there is subtle redirects 
to HTTP servers to fetch dependences, something that should never have 
worked but there may be environments that depend on this broken behavior.

-Alan


More information about the core-libs-dev mailing list