RFR - CSR: 8213082: (zipfs) Add support for POSIX file permissions (was: Re: RFR 8213031: (zipfs) Add support for POSIX file permissions)

Volker Simonis volker.simonis at gmail.com
Fri Dec 21 16:43:14 UTC 2018 

Hi Alan,

thanks for looking at this issue. I've dived into the ZipFS
implementation during the last weeks and together with Christoph we've
extended and improved both the implementation the test coverage. As
Christoph already emphasized, this change is only for improving
jdk.nio.zipfs without any side effects on java.util.zip and
java.util.jar.

Please find my comments for the CSR below (for some reason I couldn't
add them to the CSR directly).

I'd really appreciate if you could reconsider reviewing Christoph's
change ("RFR 8213031: (zipfs) Add support for POSIX file permissions")
and CSR.

Thank you,
Volker

=============================================

I've thoroughly looked at this proposal and honestly speaking, I don't
think that we even need a CSR for the proposed enhancement. Only the
implementation of some classes in the `jdk.nio.zipfs` package are
changed but no publicly exported API's.

As Christoph emphasized, the proposed changes **only** affect the Zip
File System as implemented in the `jdk.nio.zipfs` package. It doesn't
touch neither the implementation nor the behavior of any of the
classes in the `java.util.zip` or `java.util.jar` packages.

Previous reviewers of this CSR and of the corresponding change
JDK-8213031 raised some concerns regarding the security implication of
this change - especially in the context of signed jars. I've looked at
these concerns but I couldn't find any evidence for problems because:

- no exposed JAR functionality is affected by these changes (because
that is handled by the implementation in `java.util.zip` and
`java.util.jar`)
- Jar signing doesn't take file attributes into account (even not the
basic attributes like the modification time). It only hashes the file
contents. You can already now use external zip tools to update the
attributes of files in a signed archive without affecting the validity
of the signature.

For all these reasons I've reviewed this CSR and I kindly ask you to approve it.
On Fri, Dec 21, 2018 at 2:43 PM Langer, Christoph
<christoph.langer at sap.com> wrote:
>
> Hi Alan,
>
> > Adding support for POSIX file permissions to the zip APIs is problematic
> > as we've been discussing here. There are security concerns and also
> > concerns that how it interacts with JAR files and signed JAR in
> > particular. I don't disagree that we can come to agreement on zipfs
> > supporting a solution but I think we need to get the bigger picture on
> > where this is going first. If the piece to change the java.util.zip APIs
> > is dropped then it would make these discussions a lot simpler as it
> > removes most of the security issues from the table.
>
> Yes, please consider changes to java.util.zip APIs as dropped. At least for the moment. I'm not saying I won't ever get back to that topic but maybe an enhancement of jdk.zipfs is already sufficient to provide the required Posix permission support for the Java platform.
>
> Best regards
> Christoph
>

More information about the security-dev mailing list