RFR: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories [v15]
Weijun Wang
weijun at openjdk.org
Fri Jan 27 22:19:20 UTC 2023
On Tue, 24 Jan 2023 12:31:30 GMT, Eirik Bjorsnos <duke at openjdk.org> wrote:
>> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that files reside in META-INF directly, and not in a subdirectory of META-INF.
>>
>> The mentioned call sites needs updates to check and ignore such files.
>>
>> A new test IgnoreUnrelatedSignatureFiles is added which verifies that [*.SF, *.RSA] files in META-INF/ subdirectories are indeed ignored.
>
> Eirik Bjorsnos has updated the pull request incrementally with one additional commit since the last revision:
>
> Add whitespace after keywords if and for
Marked as reviewed by weijun (Reviewer).
Yes, you're right. `ZipFile:: isSignatureRelated ` collects them for verification but `SignatureFileVerifier:: isSigningRelated` is about do not re-sign them while signing.
Maybe we can rename `ZipFile::isSignatureRelated` to `ZipFile::isBlockOrSF` as well?
I'll approved this PR. Thanks.
-------------
PR: https://git.openjdk.org/jdk/pull/11976
More information about the security-dev
mailing list