Class-Path (in jar file) semantics different between Java 11 and 13 (on Windows)?
Alan Bateman
Alan.Bateman at oracle.com
Wed Nov 20 08:24:47 UTC 2019
On 19/11/2019 23:25, David Lloyd wrote:
> :
> OK, having read the updated specification (thanks Alan!) I'm now quite
> curious why `/C:/helloworld.jar` is considered invalid. It is in fact
> a valid relative URL (colons are allowed in path segments, and the
> leading `/` unambiguously delineates the URL path), and thus it seems
> that it should be considered valid.
This is a awkward area as the parsing here is very security sensitive.
The current implementation is deliberately limited to make it easy to
audit. It was a deliberate decision to disallow relative URLs that
encode a Windows file path containing a drive letter. You can of course
use an absolute file URL here and I would expect
"file:/C:/helloworld.jar" to work. The spec was relaxed to allow
absolute file URLs for cases like this. I'm not opposed to expanding the
parsing to allow for more cases but a detailed security review will be
needed on all changes in this area.
-Alan
More information about the core-libs-dev
mailing list