URLClassPath.JarLoader::checkJar just became obsolete

Eirik Bjørsnøs eirbjo at gmail.com
Tue Nov 12 19:04:12 UTC 2024


Hi,

With the SecurityManager permanently disabled, the checking that a JAR file
starts with the LOC signature in URLClassPath.Loader::checkJar has now
become unreachable.

The method was added in JDK-8008593. This issue is not available, so I
can't research why this was added, nor why it depends on a security manager
being set. But it does not itself not use the security manager.

It's not clear what this check protects against (ZIP files are allowed to
have prefix stubs?) nor why the check depends on the security manager being
configured.

I'm inclined to suggest a PR to remove this check with the associated
system property to disable it, plus the supporting code in ZipFile
and JavaUtilZipFileAccess.

But before I do that, can someone with access to history comment on whether
this check should be kept around, but perhaps changed to depend on
something else than the security manager? Currently, this is simply dead
code.

Thanks,
Eirik.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/net-dev/attachments/20241112/cf92062e/attachment.htm>


More information about the net-dev mailing list