Integrated: 8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories
Eirik Bjorsnos
duke at openjdk.org
Fri Jan 27 22:51:28 UTC 2023
On Thu, 12 Jan 2023 18:44:26 GMT, Eirik Bjorsnos <duke at openjdk.org> wrote:
> Some call sites of SignatureFileVerifier.isBlockOrSF fails to check that files reside in META-INF directly, and not in a subdirectory of META-INF.
>
> The mentioned call sites needs updates to check and ignore such files.
>
> A new test IgnoreUnrelatedSignatureFiles is added which verifies that [*.SF, *.RSA] files in META-INF/ subdirectories are indeed ignored.
This pull request has now been integrated.
Changeset: 5dfc4ec7
Author: Eirik Bjorsnos <eirbjo at gmail.com>
Committer: Weijun Wang <weijun at openjdk.org>
URL: https://git.openjdk.org/jdk/commit/5dfc4ec7d94af9fe39fdee9d83b06101b827a3c6
Stats: 429 lines in 6 files changed: 405 ins; 8 del; 16 mod
8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories
Reviewed-by: weijun
-------------
PR: https://git.openjdk.org/jdk/pull/11976
More information about the security-dev
mailing list