Class-Path (in jar file) semantics different between Java 11 and 13 (on Windows)?
David Lloyd
david.lloyd at redhat.com
Wed Nov 20 13:50:07 UTC 2019
On Wed, Nov 20, 2019 at 2:25 AM Alan Bateman <Alan.Bateman at oracle.com> wrote:
>
> On 19/11/2019 23:25, David Lloyd wrote:
> > :
> > OK, having read the updated specification (thanks Alan!) I'm now quite
> > curious why `/C:/helloworld.jar` is considered invalid. It is in fact
> > a valid relative URL (colons are allowed in path segments, and the
> > leading `/` unambiguously delineates the URL path), and thus it seems
> > that it should be considered valid.
> This is a awkward area as the parsing here is very security sensitive.
> The current implementation is deliberately limited to make it easy to
> audit. It was a deliberate decision to disallow relative URLs that
> encode a Windows file path containing a drive letter.
OK, but this decision violates both the old and updated spec (and
makes it difficult to write code that works in both cases: in
situations that reject absolute URLs (javac) and in situations that
reject drive letters (this code)), so I would request that this be
revisited.
> You can of course
> use an absolute file URL here and I would expect
> "file:/C:/helloworld.jar" to work. The spec was relaxed to allow
> absolute file URLs for cases like this. I'm not opposed to expanding the
> parsing to allow for more cases but a detailed security review will be
> needed on all changes in this area.
Is there anything I can do to help?
--
- DML
More information about the core-libs-dev
mailing list