Integrated: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories

Eirik Bjorsnos duke at openjdk.org
Fri Jan 27 22:51:28 UTC 2023


On Thu, 12 Jan 2023 18:44:26 GMT, Eirik Bjorsnos <duke at openjdk.org> wrote:

> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that files reside in META-INF directly, and not in a subdirectory of META-INF.
> 
> The mentioned call sites needs updates to check and ignore such files.
> 
> A new test IgnoreUnrelatedSignatureFiles is added which verifies that [*.SF, *.RSA] files in META-INF/ subdirectories are indeed ignored.

This pull request has now been integrated.

Changeset: 5dfc4ec7
Author:    Eirik Bjorsnos <eirbjo at gmail.com>
Committer: Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.org/jdk/commit/5dfc4ec7d94af9fe39fdee9d83b06101b827a3c6
Stats:     429 lines in 6 files changed: 405 ins; 8 del; 16 mod

8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories

Reviewed-by: weijun

-------------

PR: https://git.openjdk.org/jdk/pull/11976



More information about the security-dev mailing list