Manifest Related Bugs JDK-6372077, JDK-6202130, JDK-8176843, JDK-4842483, JDK-6443578, JDK-6910466, JDK-4935610, and JDK-4271239
Philipp Kunz
philipp.kunz at paratix.ch
Mon Oct 2 17:24:46 UTC 2017
Hi,
While fixing JDK-6695402 I came across other related bugs to manifests
such as JDK-6372077, JDK-6202130, JDK-8176843, JDK-4842483, and
JDK-6443578 which all relate to manifest reading and writing. Somewhere
bug 7071055 is mentioned but I cannot find anywhere. Another group of
bugs, JDK-6910466, JDK-4935610, and JDK-4271239 concern the mandatory
manifest main attributes Manifest-Version or Signature-Version and at
first glance are duplicates. If you know of more known bugs, not
necessarily present in jira, I'd be glad to get notified.
There are also some comments about utf handling and line breaking in the
code of Manifest:
http://hg.openjdk.java.net/jdk10/master/file/a0116bcc65b7/src/java.base/share/classes/java/util/jar/Attributes.java#l299
http://hg.openjdk.java.net/jdk10/master/file/a0116bcc65b7/src/java.base/share/classes/java/util/jar/Attributes.java#l327
http://hg.openjdk.java.net/jdk10/master/file/a0116bcc65b7/src/java.base/share/classes/java/util/jar/Attributes.java#l370
Furthermore, Attributes.map should declare appropriate type parameters:
http://hg.openjdk.java.net/jdk10/master/file/a0116bcc65b7/src/java.base/share/classes/java/util/jar/Attributes.java#l61
The specification would also require that `header names must not start
with _, - or "From"`
(http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Section-Specification)
but I would opt not to add this as a hard restriction because I guess it
can be assumed that such names are in use now after having been working
for years. A warning to a logger might be conceivable such as in
http://hg.openjdk.java.net/jdk10/master/file/a0116bcc65b7/src/java.base/share/classes/java/util/jar/Attributes.java#l424
Attribute values are never checked at all and invalid characters such as
line breaks are never detected except that when reading the manifest
again the values are cut off.
The tab character (U+0008) does not work in manifest values.
I suspect that there are also issues regarding the iteration order but I
haven't got a prove yet unlike for the other points above:
http://hg.openjdk.java.net/jdk10/master/file/a0116bcc65b7/src/java.base/share/classes/java/util/jar/Manifest.java#l54
There is duplicated or very similar code in Attributes and Manifest:
Attributes.write-Manifest.write-Attributes.writeMain and
Attributes.read-Manifest.read.
Resolving JDK-6202130 would have the additional benefit to be able to
view manifests with any utf-8 capable editor even if multi-byte
characters break across lines.
Fixing these issues individually looks like more complicated work than
fixing them all at once, I guess, also because of a very low current
test coverage. So I'd suggest to add some thorough tests along with
fixing these issues. But before I start I would like to get some
guidance, assistance or at least confirmation on how to proceed. I'm new
to open jdk and have submitted only one patch so far.
Is it ok to add tests for things that have worked before?
Is it ok to refactor duplicated code just for the added value to reduce
effort for testing?
I assume compatibility to and from existing manifests is the highest
priority, correct? This would also be the hard part in adding as
complete test coverage as possible. What would be acceptable criteria to
meet?
Why does Attributes not extend LinkedHashMap and why does Manifest not
extend HashMap? Any objection?
While I would not want to write code that looks slow or change more than
necessary one can never know before having performance actually
measured. Is there some way this is dealt with or should I wait for such
feedback until after patch submission?
Would someone sponsor?
Regards,
Philipp
------------------------------------------------------------------------
Paratix GmbH
St Peterhofstatt 11
8001 Zürich
+41 (0)76 397 79 35
philipp.kunz at paratix.ch <mailto:philipp.kunz at paratix.ch>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20171002/540810ff/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 5134 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20171002/540810ff/attachment.png>
More information about the security-dev
mailing list