RFR: 8280409: JarFile::verifiableEntry can fail with NPE accessing ze.getName() [v2]
Lance Andersen
lancea at openjdk.java.net
Thu Feb 10 21:35:57 UTC 2022
On Thu, 10 Feb 2022 20:37:50 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Agree on returning null to maintain current behavior. I would also lean towards amending the specification to specify what has been long-standing behavior.
>
> If we had to do it over again, I do think throwing IAE is more appropriate because this case would probably be due to a bug in the application code. Now code has to defensively check for a null return value. I don't know, maybe we don't want to modify the specification at this point and leave this as undefined behavior.
> Agree on returning null to maintain current behavior. I would also lean towards amending the specification to specify what has been long-standing behavior.
I just updated the PR to return null
-------------
PR: https://git.openjdk.java.net/jdk/pull/7348
More information about the security-dev
mailing list