RFR: 8280409: JarFile::verifiableEntry can fail with NPE accessing ze.getName()

Sean Mullan mullan at openjdk.java.net
Mon Feb 7 15:20:12 UTC 2022


On Fri, 4 Feb 2022 15:19:11 GMT, Lance Andersen <lancea at openjdk.org> wrote:

>> src/java.base/share/classes/java/util/jar/JarFile.java line 866:
>> 
>>> 864:         } catch (Exception e2) {
>>> 865:             // Any other Exception should be a ZipException
>>> 866:             throw (ZipException) new ZipException("Zip file format error").initCause(e2);
>> 
>> If there is ZIP format error then I would expect ZipException or the more general IOException is already thrown. So I think this is catching other cases, maybe broken manifests or signed JAR files, in which case a JarException may be better.
>
> JarFile::getInputStream. mentions ZipException but not JarException which is why I chose this.  If we change this to JarException, I would need to update the javadoc and create a CSR.
> 
> Please let me know your preference

`JarException` is a subclass of `ZipException` though, so I think this would be ok to throw and still be compliant with the specification.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7348



More information about the security-dev mailing list