RFR: 8280409: JarFile::verifiableEntry can fail with NPE accessing ze.getName() [v3]
Alan Bateman
alanb at openjdk.java.net
Fri Feb 11 13:49:09 UTC 2022
On Thu, 10 Feb 2022 21:35:56 GMT, Lance Andersen <lancea at openjdk.org> wrote:
>> Hi all,
>>
>> Please review the attached patch to address
>>
>> - That JarFile::getInputStream did not check for a null ZipEntry passed as a parameter
>> - Have Zip/JarFile::getInputStream throw a ZipException in the event that an unexpected exception occurs
>>
>> Mach5 tiers1-3 runs are clean as are the TCK java.util.zip and java.util.jar test runs
>>
>> Best
>> Lance
>
> Lance Andersen has updated the pull request incrementally with two additional commits since the last revision:
>
> - Return a null InputStream when the ZipEntry is not found in the Jar
> - Address formatting and message feedback
src/java.base/share/classes/java/util/jar/JarFile.java line 881:
> 879: ze = getJarEntry(entryName);
> 880: } else {
> 881: throw new ZipException("ZipEntry::getName returned null");
Throwing ZipException when ZipEntry::getName returns null is still surprising but not terrible. The spec for getInputStream specifies ZipException for when a zip file format occurs so we might have to extend that to add "or the zip entry name is null".
-------------
PR: https://git.openjdk.java.net/jdk/pull/7348
More information about the security-dev
mailing list