RFR: 8336025: Improve ZipOutputSream validation of MAX CEN Header field limits
Lance Andersen
lancea at openjdk.org
Sun Sep 15 13:08:06 UTC 2024
On Fri, 13 Sep 2024 20:20:56 GMT, Chen Liang <liach at openjdk.org> wrote:
>> Please review the following PR which addresses that ZipOutputStream should validate the CEN header fields similar to what was done via [JDK-8316141](https://bugs.openjdk.org/browse/JDK-8316141)
>>
>> As part of this change, the javadoc for ZipEntry has been updated to indicate that the CEN Header(46 bytes) + entry name length + comment length + extra data length must not exceed 0xfffff.
>>
>> Mach5 tiers 1-3 runs were clean. The zip and jar JCK tests also continue to pass
>
> src/java.base/share/classes/java/util/zip/ZipEntry.java line 42:
>
>> 40: * <P>
>> 41: * The combined length of the entry name, the extra field data, the
>> 42: * entry comment and {@link ZipFile#CENHDR CEN Header size}, must not
>
> I think you flipped the usage of `@link` and `@linkplain` in this spec addition. `@link` renders code with hyperlink, and `@linkplain` renders like regular body font with hyperlink.
>
> And the constant is available in this class too, so no need to link to `ZipFile` really.
> Suggestion:
>
> * entry comment and {@linkplain #CENHDR CEN Header size}, must not
Good suggestion. Updated, per your suggestion
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21003#discussion_r1760043734
More information about the core-libs-dev
mailing list