RFR: 8280409: JarFile::verifiableEntry can fail with NPE accessing ze.getName() [v2]
Lance Andersen
lancea at openjdk.java.net
Mon Feb 7 23:11:07 UTC 2022
On Mon, 7 Feb 2022 20:16:43 GMT, Lance Andersen <lancea at openjdk.org> wrote:
>> If you are pretty sure the only other case are as above, I wonder if a simpler fix would be to change `verifiableEntry()` to check for these null cases and throw a `ZipException` which will get directly propagated by `getInputStream()`?
>
> I can certainly throw a ZipException from `verifiableEntry`. I am a bit reluctant to not catch any other `Exception` and then throw a `ZipException` from `getInputStream()` as it is certainly possible of encountering some other issue due to some stray value in the CEN.
>
> So I will update `verifiableEntry` to validate `ZipEntry` and` ZipEntry::getName()` potential issues
Per an offline-discussion with Sean, I narrowed the Exception checking to JarFile::verifiableEntry.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7348
More information about the security-dev
mailing list