RFR: JDK-8319626: Override toString() for ZipFile [v4]
Jaikiran Pai
jpai at openjdk.org
Thu Nov 30 10:20:09 UTC 2023
On Wed, 29 Nov 2023 01:10:29 GMT, Bernd <duke at openjdk.org> wrote:
>> Hi Alan,
>>
>> Thanks for taking a look. I updated the toString() value to the one you suggested, and also dropped the specific aspects of the specification.
>>
>> I am not sure if you have a preference one way or another regarding providing the full path versus just the file name, but I can switch the full path for just the file name if need be.
>
> I like the new wording (have no oppinion if absolute path is better).
Hello Justin,
> I am not sure if you have a preference one way or another regarding providing the full path versus just the file name, but I can switch the full path for just the file name if need be.
My opinion is that we should not use the absolute path here. Section 2.1 of secure coding guidelines https://www.oracle.com/java/technologies/javase/seccodeguide.html#2-1 suggests not to include full paths in exception messages.
With the proposed change to the toString() method here, which uses absolute paths, I think it would then mean that we would have to review (within the JDK) usages of (explicit or implicit) `ZipFile.toString()` to prevent accidentally including the complete paths in the exceptions, like in the case below:
final ZipFile zf = new ZipFile("/home/me/xyz.zip");
... // do something
throw new Exception("failed to handle zipfile " + zf);
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16643#discussion_r1410455514
More information about the core-libs-dev
mailing list