RFR: 8280409: JarFile::verifiableEntry can fail with NPE accessing ze.getName()
Sean Mullan
mullan at openjdk.java.net
Mon Feb 7 15:20:12 UTC 2022
On Fri, 4 Feb 2022 15:19:11 GMT, Lance Andersen <lancea at openjdk.org> wrote:
>> src/java.base/share/classes/java/util/jar/JarFile.java line 866:
>>
>>> 864: } catch (Exception e2) {
>>> 865: // Any other Exception should be a ZipException
>>> 866: throw (ZipException) new ZipException("Zip file format error").initCause(e2);
>>
>> If there is ZIP format error then I would expect ZipException or the more general IOException is already thrown. So I think this is catching other cases, maybe broken manifests or signed JAR files, in which case a JarException may be better.
>
> JarFile::getInputStream. mentions ZipException but not JarException which is why I chose this. If we change this to JarException, I would need to update the javadoc and create a CSR.
>
> Please let me know your preference
`JarException` is a subclass of `ZipException` though, so I think this would be ok to throw and still be compliant with the specification.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7348
More information about the security-dev
mailing list