RFR: 8280409: JarFile::verifiableEntry can fail with NPE accessing ze.getName() [v2]
Lance Andersen
lancea at openjdk.java.net
Tue Feb 8 18:15:07 UTC 2022
On Tue, 8 Feb 2022 15:55:50 GMT, Alan Bateman <alanb at openjdk.org> wrote:
> ze can't be null here.
Actually it can be: Consider the following:
try (JarFile jf = new JarFile(SIGNED_VALID_ENTRY_NAME_JAR.toFile(), true)) {
var ze = new ZipEntry("org/gotham/Batcave.class");
var ex= expectThrows(ZipException.class,
() -> jf.getInputStream(ze) );
// Validate that we receive the expected message from
// JarFile::verifiableEntry when ZipEntry::getName returns null
assertTrue( ex != null && ex.getMessage().equals("Error: ZipEntry should not be null!"));
}
The above code does generate the error.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7348
More information about the security-dev
mailing list