RFR: 8314891: Additional Zip64 extra header validation [v8]

Marco N. duke at openjdk.org
Mon May 13 15:15:18 UTC 2024


On Wed, 8 Nov 2023 17:27:19 GMT, Lance Andersen <lancea at openjdk.org> wrote:

>> @LanceAndersen 
>> 
>> I noticed that this PR did not update `ZipInputStream.readLOC` to perform consistency validation between expected and actual extra field size and values. Any particular reason why processing of LOC headers was not made consistent with CEN?
>
>> @LanceAndersen
>> 
>> I noticed that this PR did not update `ZipInputStream.readLOC` to perform consistency validation between expected and actual extra field size and values. Any particular reason why processing of LOC headers was not made consistent with CEN?
> 
> Intentional, as this was a follow on to the updates which were done previously to the CEN work in August, this is follow on cleanup.
> 
> Updates to ZipInputStream would be done separately under a separate PR or  could be done via your work on 8303866

Hey @LanceAndersen,

It was a common practice in obfuscation, to create zips with invalid headers. This change leads to a behavioral change that affects existing work processes.  Would it be possible to add an system property to restore the old behavior?

-------------

PR Comment: https://git.openjdk.org/jdk/pull/15650#issuecomment-2107932136


More information about the core-libs-dev mailing list