RFR: 8280409: JarFile::verifiableEntry can fail with NPE accessing ze.getName() [v2]
Sean Mullan
mullan at openjdk.java.net
Tue Feb 8 16:18:05 UTC 2022
On Tue, 8 Feb 2022 15:57:00 GMT, Alan Bateman <alanb at openjdk.org> wrote:
>> src/java.base/share/classes/java/util/jar/JarFile.java line 871:
>>
>>> 869: }
>>> 870: // ZipEntry::getName should not return null
>>> 871: if(ze.getName() != null) {
>>
>> Nit, add space after "if"
>
> if ZipEntry is extended and getName() overridden then you can't trust the name. So I think you'll have extract the name rather than calling ZipEntry::getName twice. I'm almost tempted to have getInputStream(ZipEntry) be re-specified to throw IAE if the zip entry name is null.
Ah, yes - good catch!
-------------
PR: https://git.openjdk.java.net/jdk/pull/7348
More information about the security-dev
mailing list