URLClassPath.JarLoader::checkJar just became obsolete

Daniel Fuchs daniel.fuchs at oracle.com
Thu Nov 14 09:19:50 UTC 2024


Hello Erik,

Thanks for asking on the mailing list first.
We have some work in progress in this area and we will
publish a PR in due course.

best regards,

-- daniel

On 12/11/2024 19:04, Eirik Bjørsnøs wrote:
> Hi,
> 
> With the SecurityManager permanently disabled, the checking that a JAR 
> file starts with the LOC signature in URLClassPath.Loader::checkJar has 
> now become unreachable.
> 
> The method was added in JDK-8008593. This issue is not available, so I 
> can't research why this was added, nor why it depends on a security 
> manager being set. But it does not itself not use the security manager.
> 
> It's not clear what this check protects against (ZIP files are allowed 
> to have prefix stubs?) nor why the check depends on the security manager 
> being configured.
> 
> I'm inclined to suggest a PR to remove this check with the associated 
> system property to disable it, plus the supporting code in ZipFile 
> and JavaUtilZipFileAccess.
> 
> But before I do that, can someone with access to history comment on 
> whether this check should be kept around, but perhaps changed to depend 
> on something else than the security manager? Currently, this is simply 
> dead code.
> 
> Thanks,
> Eirik.



More information about the net-dev mailing list