RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories [v14]
Eirik Bjorsnos
duke at openjdk.org
Wed Jan 18 16:13:17 UTC 2023
On Wed, 18 Jan 2023 13:42:12 GMT, Eirik Bjorsnos <duke at openjdk.org> wrote:
>> When introducing the call to isInMetaInf in isSigningRelated, I accidentally broke the matching of MANIFEST.MF and SIG-* files.
>>
>> When fixing this regression, I now match against the full path instead of the existing prefix stripping substring. (A nice side effect of this is that isBlockOrSF is now always called with the full path)
>>
>> Since the regression was not caught by any existing test, I'm also adding a sanity check that a basic signed JAR has the expected sections in MANIFEST.MF. (The regression introduced a section for META-INF/MANIFEST.MF which seemed to not be caught by tests)
>
> On a similar note, I added test covering for the matching of custom SIG-* files in SignatureFileVerifier.isSigningRelated.
>
> The test now checks both valid and invalid SIG- file extensions and directory locations inside/outside META-INF
Added test cases for:
- META-INF/unrelated.txt (Unrelated file in META-INF)
- META-INF/SIG-CUSTOM (No extension is ok)
- META-INF/SIG-CUSTOM2. (Extension too short)
- META-INF/SIG-CUSTOM2.ABCD (Extension too long)
Reading the Jar File Specification, I cannot see that it explicitly allows no extension for SIG- files, but that's what the current code does. It feels safest to leave it that way.
-------------
PR: https://git.openjdk.org/jdk/pull/11976
More information about the security-dev
mailing list