RFR: 8336025: Improve ZipOutputSream validation of MAX CEN Header field limits [v2]
Lance Andersen
lancea at openjdk.org
Mon Sep 16 11:35:11 UTC 2024
On Mon, 16 Sep 2024 09:36:49 GMT, Eirik Bjørsnøs <eirbjo at openjdk.org> wrote:
>> Lance Andersen has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Update @link ->@linkplain
>
> src/java.base/share/classes/java/util/zip/ZipEntry.java line 41:
>
>> 39: * This class is used to represent a ZIP file entry.
>> 40: * <P>
>> 41: * The combined length of the entry name, the extra field data, the
>
> "bytes" is the last word here, so technically this is correct. But an external reader may easily think this refers to the string lengths, not the byte encoded lengths.
>
> So maybe being slightly more explicit that the encoded length depends on the chosen charset would reduce ambiguity?
I am not sure it is needed, but could tweak to
> The combined length, after encoding, of the ......
thoughts?
> src/java.base/share/classes/java/util/zip/ZipOutputStream.java line 642:
>
>> 640: if (e.comment != null) {
>> 641: commentBytes = zc.getBytes(e.comment);
>> 642: clen = Math.min(commentBytes.length, 0xffff);
>
> Moving the headerLength enforcement earlier in the method would remove the need for this comment truncation, right?
I left that intentionally for now. A follow on PR will be updating the ZipEntry javadoc to reduce the max size of the validation check once this PR is finalized.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21003#discussion_r1760977017
PR Review Comment: https://git.openjdk.org/jdk/pull/21003#discussion_r1760962573
More information about the core-libs-dev
mailing list