RFR: 8340553: ZipEntry field validation does not take into account the size of a CEN header [v2]
Eirik Bjørsnøs
eirbjo at openjdk.org
Thu Oct 17 18:47:26 UTC 2024
On Thu, 17 Oct 2024 13:56:50 GMT, Lance Andersen <lancea at openjdk.org> wrote:
> I had thought about that and decided to keep the changes as they are. I am not opposed to revisiting this in a follow on PR. Any additional changes would require more javadoc updates to address the overall change in validation.
>
> So after we fork JDK 24, happyt to revisit.
If the route we're taking ends up with having `ZipEntry` manage its own invariant here, then I'm only lukewarm to including this solution in 24 which only takes us half way and has weaker validation than what's already in place in `ZipOutputStream`. There would be less API churn if we hold our breath here and do it "right" in a single release.
But that's my subjective opinion, it's understandable and fine that others see it differently.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21544#discussion_r1805262740
More information about the core-libs-dev
mailing list