JDK-8355338: ZIP and non-compliant entry names

Alan Bateman alan.bateman at oracle.com
Wed Apr 23 09:47:34 UTC 2025 

On 23/04/2025 09:24, Lars Bruun-Hansen wrote:
> :
>
> There is also a security angle: Spoofing file names in ZIP files
> is a common technique. Some implementations takes cautionary
> steps on this. For example, the Windows Explorer's ZIP reader
> simply will not show entries which start with ".." or ".".
> Well done, I would say. It is of course unfair to compare a library
> (the JDK) to an end-user tool like Windows Explorer as the
> objectives are different, however can we fault a user of the JDK
> if user would expect the entry names returned from ZipFile class
> (i.e. when READING) to be compliant ZIP file names?
>
> Bottom line: My point is that the subtle point that the JDK's
> implementation is based off a very old spec from Info-ZIP is likely
> to be lost on most users. Now that the "official" spec (PKWARE's) has
> become blatantly clear on file naming (except I wish they would have
> mentioned that starting the file name with "./" or "../" is illegal too),
> I believe the JDK's javadocs should at least have something to say on
> the topic of ZIP entry naming and the architectural choices made
> in the implementation (accept anything).
>
> So that is my suggestion: a "strengthening" of the Javadoc. I'll be happy
> to propose the text. A more thorough approach would be to create new
> name entry validating methods and possibly deprecate the existing ones.
> Just thought I would propose the easiest solution first: javadoc.
>

JDK-8355338 was only created this week. As noted, the ZIP spec changed 
from "should not" to "MUST not", a change that was not noticed until 
this bug report.

I think too early to give an opinion on whether to change the spec 
and/or implementation. Preliminary data from a scan of ~1 million 
ZIP/JAR files suggests there aren't too many cases of this but more 
analysis will be required to inform and help narrow down options. Note 
that Oracle employees (and probably many others here) cannot engage in 
any discussion about security issues so discussion here will be more 
focused on the compatibility impact and options.

Most of the ZIP/JAR creation will likely come from tools in the eco 
system, e.g.Maven plugins. I think it would be useful to gather some 
data to see if there are usages of these tools/plugins that would cause 
them to attempt to create ZIP/JAR files with these bad entry names. Is 
this something you have cycles to help gather?

-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/core-libs-dev/attachments/20250423/66d36fce/attachment-0001.htm>

More information about the core-libs-dev mailing list