RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories [v7]
Eirik Bjorsnos
duke at openjdk.org
Wed Jan 18 09:47:29 UTC 2023
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies that [*.SF, *.RSA] files in META-INF/ subdirectories are indeed ignored.
Eirik Bjorsnos has updated the pull request incrementally with four additional commits since the last revision:
- Introduce SignatureFileVerifier.isInMetaInf as a common method to replace duplicated logic in JarVerifier, JarSigner and SignatureFileVerifier.isSigningRelated.
This introduces two subtle behavioural changes:
- JarSigner is relaxed to ignore case when checking isInMetaInf, meaning "meta-inf/" files will now be moved to the beginning of the signed JAR
- JarVerifier is tightened to reject /META-INF/ as not in META-INF/. This is believed to have little impact, since ZipFile.Source.isMetaName already rejects such paths.
- jarsigner -verify should also ignore unrelated signature files
- Style: Added whitespace separators between keyword and left parenthesis for try,while,if.Removed final accessors for some local variables.
- Replacing File.createTempFile with Path.of lets jtreg handle retention of JARs created during the test
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/11976/files
- new: https://git.openjdk.org/jdk/pull/11976/files/808d1f41..eadcc2c0
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=11976&range=06
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=11976&range=05-06
Stats: 114 lines in 5 files changed: 48 ins; 24 del; 42 mod
Patch: https://git.openjdk.org/jdk/pull/11976.diff
Fetch: git fetch https://git.openjdk.org/jdk pull/11976/head:pull/11976
PR: https://git.openjdk.org/jdk/pull/11976
More information about the security-dev
mailing list