URLClassPath.JarLoader::checkJar just became obsolete
Daniel Fuchs
daniel.fuchs at oracle.com
Thu Nov 14 09:19:50 UTC 2024
Hello Erik,
Thanks for asking on the mailing list first.
We have some work in progress in this area and we will
publish a PR in due course.
best regards,
-- daniel
On 12/11/2024 19:04, Eirik Bjørsnøs wrote:
> Hi,
>
> With the SecurityManager permanently disabled, the checking that a JAR
> file starts with the LOC signature in URLClassPath.Loader::checkJar has
> now become unreachable.
>
> The method was added in JDK-8008593. This issue is not available, so I
> can't research why this was added, nor why it depends on a security
> manager being set. But it does not itself not use the security manager.
>
> It's not clear what this check protects against (ZIP files are allowed
> to have prefix stubs?) nor why the check depends on the security manager
> being configured.
>
> I'm inclined to suggest a PR to remove this check with the associated
> system property to disable it, plus the supporting code in ZipFile
> and JavaUtilZipFileAccess.
>
> But before I do that, can someone with access to history comment on
> whether this check should be kept around, but perhaps changed to depend
> on something else than the security manager? Currently, this is simply
> dead code.
>
> Thanks,
> Eirik.
More information about the net-dev
mailing list