RFR: 8313765: Invalid CEN header (invalid zip64 extra data field size) [v9]

Sergey Bylokhov serb at openjdk.org
Wed Aug 16 14:48:14 UTC 2023 

On Wed, 16 Aug 2023 04:16:52 GMT, Sergey Bylokhov <serb at openjdk.org> wrote:

>> Lance Andersen has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Cleaned up spacing and added missing comma
>
> My overall point is that it will be unfortunate if users will be able to open some files on Linux/macOS/Windows using default programs but will not be able to do that using Java.

>@mrserb Have you tested your ZIP file with -Djdk.util.zip.disableZip64ExtraFieldValidation=true? That's the system property to disable the additional checking and is the "get out of jail card" for anyone running into issues. As always with changes like this, or other changes that tighten up checking, there is a risk that it will break something, hence the system property to give existing deployments a workaround to continue. In this case, the original change exposed an issue with a number of Apache projects (see the linked bugs in their issue trackers) and a bad bug in the BND tool that was fixed a few years ago. The system property is the temporary workaround until the deployment has versions of the libraries produced with updated versions of these tools, or a JDK update that tolerates a 0 block size.

I disagree for a few reasons, using that property will completely disable the appropriate patch for a fix in the CPU, and it will be possible to have/accept some malicious zip files which may trigger some unfortunate behavior. That is not what we would like to recommend doing. Validation of the negative values is much more important.
 - The bug fixed by the BND was clearly a bug when some "random" value was used as the size of the component which was unrelated to the size of the chunk not the size of the zip file.
 - The bug we discussed here related to the size of the block which is properly set, for some reason an additional validation was added for it, and it is still not mentioned from where that validation has come, there is no such thing in the spec nor in the behavior of the common tools such as zip/unzip, Windows Explorer, macOS Archive Utility.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/15273#issuecomment-1680754080

More information about the nio-dev mailing list