Class-Path (in jar file) semantics different between Java 11 and 13 (on Windows)?

Alan Bateman Alan.Bateman at oracle.com
Wed Nov 20 08:24:47 UTC 2019


On 19/11/2019 23:25, David Lloyd wrote:
> :
> OK, having read the updated specification (thanks Alan!) I'm now quite
> curious why `/C:/helloworld.jar` is considered invalid.  It is in fact
> a valid relative URL (colons are allowed in path segments, and the
> leading `/` unambiguously delineates the URL path), and thus it seems
> that it should be considered valid.
This is a awkward area as the parsing here is very security sensitive. 
The current implementation is deliberately limited to make it easy to 
audit. It was a deliberate decision to disallow relative URLs that 
encode a Windows file path containing a drive letter. You can of course 
use an absolute file URL here and I would expect 
"file:/C:/helloworld.jar" to work. The spec was relaxed to allow 
absolute file URLs for cases like this. I'm not opposed to expanding the 
parsing to allow for more cases but a detailed security review will be 
needed on all changes in this area.

-Alan


More information about the core-libs-dev mailing list