RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories [v2]

Eirik Bjorsnos duke at openjdk.org
Sat Jan 14 13:21:43 UTC 2023


> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that files reside in META-INF directly, and not in a subdirectory of META-INF.
> 
> The mentioned call sites needs updates to check and ignore such files.
> 
> A new test VerifyUnrelatedSignatureFiles is added which verifies that [*.SF, *.RSA] files in META-INF/ subdirectories are indeed ignored.

Eirik Bjorsnos has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains six additional commits since the last revision:

 - Check that non-signature related .SF, .RSA files are treated as regular (non signature related) files during signing
 - Merge branch 'master' into signature-related-subdirs
 - Simplify comment by removing a negative and changing "these paths" to "this path"
 - Use @modules tags instead of explicit --add-exports args
 - Merge branch 'master' into signature-related-subdirs
 - Files residing in subdirectories of META-INF/ should not be treated as signature related

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/11976/files
  - new: https://git.openjdk.org/jdk/pull/11976/files/342b3c20..828e083c

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=11976&range=01
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=11976&range=00-01

  Stats: 738 lines in 32 files changed: 484 ins; 86 del; 168 mod
  Patch: https://git.openjdk.org/jdk/pull/11976.diff
  Fetch: git fetch https://git.openjdk.org/jdk pull/11976/head:pull/11976

PR: https://git.openjdk.org/jdk/pull/11976


More information about the security-dev mailing list