RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories
Eirik Bjorsnos
duke at openjdk.org
Sat Jan 14 12:05:10 UTC 2023
On Fri, 13 Jan 2023 22:31:28 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that files reside in META-INF directly, and not in a subdirectory of META-INF.
>>
>> The mentioned call sites needs updates to check and ignore such files.
>>
>> A new test VerifyUnrelatedSignatureFiles is added which verifies that [*.SF, *.RSA] files in META-INF/ subdirectories are indeed ignored.
>
> src/java.base/share/classes/java/util/zip/ZipFile.java line 1748:
>
>> 1746: .isBlockOrSF(new String(name, off, len, UTF_8.INSTANCE)
>> 1747: .toUpperCase(Locale.ENGLISH)));
>> 1748:
>
> How about updating `SignatureFileVerifier.isBlockOrSF` so that it only returns true for files inside `META-INF/`. This way it's consistent to this method.
I started there, but ran into some problems:
SignatureFileVerifier.isSigningRelated calls isBlockOrSF, but it removes the "META-INF/" prefix from the path first. So we can't assume that input to isBlockOrSF is the full path.
I could update SignatureFileVerifier.isSigningRelated to send the full path, but we still have another problem:
JarSigner.sign0 puts META-INF/ files in a vector, such that it can output them first. We want to update this method such that it outputs only files which live directly in META-INF/ first. So we still need to check for "directness" outside isBlockOrSF.
isBlockOrSF has 8 call sites, most of them in security sensitive and tricky code. In the end, I felt safer leaving isBlockOrSF alone and just fix the bug-relevant call sites instead. Also, being a new contributor to security-dev, I wanted to keep the PR relatively simple and easy to review.
WDYT?
-------------
PR: https://git.openjdk.org/jdk/pull/11976
More information about the security-dev
mailing list