RFR: JDK-8319626: Override toString() for ZipFile [v5]

Alan Bateman alanb at openjdk.org
Fri Dec 1 08:53:04 UTC 2023


On Thu, 30 Nov 2023 21:08:35 GMT, Justin Lu <jlu at openjdk.org> wrote:

>> Hello Justin,
>> 
>>> I am not sure if you have a preference one way or another regarding providing the full path versus just the file name, but I can switch the full path for just the file name if need be.
>> 
>> My opinion is that we should not use the absolute path here. Section 2.1 of secure coding guidelines https://www.oracle.com/java/technologies/javase/seccodeguide.html#2-1 suggests not to include full paths in exception messages.
>> 
>> With the proposed change to the toString() method here, which uses absolute paths, I think it would then mean that we would have to review (within the JDK) usages of (explicit or implicit) `ZipFile.toString()` to prevent accidentally including the complete paths in the exceptions, like in the case below:
>> 
>> 
>> final ZipFile zf = new ZipFile("/home/me/xyz.zip");
>> ... // do something 
>> throw new Exception("failed to handle zipfile " + zf);
>
> Thanks Jai, that makes sense. Replaced full path with just the base name in latest commit.

I think the second paragraph of the method description is problematic. Documenting the representation and then saying it is subject to change is going to cause problems in the future? Can you just drop this paragraph?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/16643#discussion_r1411789346


More information about the core-libs-dev mailing list