RFR: 8273401: Remove JarIndex support in URLClassPath
Sean Mullan
mullan at openjdk.java.net
Tue Sep 7 17:42:36 UTC 2021
On Tue, 7 Sep 2021 07:12:29 GMT, Alan Bateman <alanb at openjdk.org> wrote:
>> There is a bug for URLClassPath.findResources with JarIndex.
>> With some discussions about the bug, the current priority is to remove the JAR index support in URLClassPath,
>> and don’t need to do anything to the jar tool in the short term, except just to move JarIndex to the jdk.jartool module.
>>
>> The PR includes:
>> 1. remove the JarIndex support in URLClassPath
>> 2. move JarIndex into jdk.jartool module.
>
> src/java.base/share/classes/java/util/jar/JarVerifier.java line 147:
>
>> 145:
>> 146: if (uname.equals(JarFile.MANIFEST_NAME) ||
>> 147: uname.equals(JarFile.INDEX_NAME)) {
>
> It would be useful if someone from security-libs could comment on this. The interaction between signed JAR and JAR index isn't very clear. The change you have is safe but it might be that we can drop the checking for INDEX.LIST here.
I am thinking this line should not be removed for compatibility with existing JARs that have indexes.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5383
More information about the security-dev
mailing list