RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories [v14]
Eirik Bjorsnos
duke at openjdk.org
Wed Jan 18 16:08:39 UTC 2023
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test VerifyUnrelatedSignatureFiles is added which verifies that [*.SF, *.RSA] files in META-INF/ subdirectories are indeed ignored.
Eirik Bjorsnos has updated the pull request incrementally with one additional commit since the last revision:
Improve test coverage of SignatureFileVerifier.isSigningRelated by adding META-INF/unrelated.txt and META-INF/SIG- files with invalid as well as no file extension
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/11976/files
- new: https://git.openjdk.org/jdk/pull/11976/files/7aeef1c6..cf93bfc1
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=11976&range=13
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=11976&range=12-13
Stats: 14 lines in 1 file changed: 10 ins; 0 del; 4 mod
Patch: https://git.openjdk.org/jdk/pull/11976.diff
Fetch: git fetch https://git.openjdk.org/jdk pull/11976/head:pull/11976
PR: https://git.openjdk.org/jdk/pull/11976
More information about the security-dev
mailing list