RFR: 8313765: Invalid CEN header (invalid zip64 extra data field size) [v9]

[Alan Bateman]

On Wed, 16 Aug 2023 14:45:25 GMT, Sergey Bylokhov <serb at openjdk.org> wrote:

> I disagree for a few reasons, using that property will completely disable the appropriate patch for a fix in the CPU, and it will be possible to have/accept some malicious zip files which may trigger some unfortunate behavior. That is not what we would like to recommend doing. Validation of the negative values is much more important.

Changes that introduce new checks or dial up validation are often risky changes. The JDK has a long history of introducing such changes with a system property or some means to temporarily disable the stricter checking, at least when the spec allows it. You may disagree with this long standing practice but it is a necessary evil to give a temporary workaround for environments that might need a bit of time to fix something after a JDK upgrade. There is of course risk in that but I don't think we can get into that discussion here.

As I think has already been said, we can't engage with you in this PR on the reasons why additional checking was added in a security update.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/15273#issuecomment-1680842611