RFR: JDK-8197398, (zipfs) Files.walkFileTree walk indefinitelly while processing JAR file with "/" as a directory inside.
Alan Bateman
Alan.Bateman at oracle.com
Wed Aug 29 10:22:46 UTC 2018
On 29/08/2018 03:09, Xueming Shen wrote:
> Hi,
>
> Please help review the proposed change for JDK-8197398.
>
> issue: https://bugs.openjdk.java.net/browse/JDK-8197398
> webrev: http://cr.openjdk.java.net/~sherman/8197398/webrev
>
> A little background:
>
> The existing zipfs has an assumption that the "normal/healthy/secured"
> zip/jar file should not
> include any entry that has an absolute path, root "/" included.
> Various jar/zip tools have been
> fixed/patched in the past years to avoid create such a jar/zip file
> for security reason. But there
> are zip/jar files in the wild that do include absolute paths and do
> include a "/" root sometime, the
> offending jar file included in the bug report is just one of those.
The approach looks okay, I think just wonder if the test could be
expanded to cover entry with repeated leading slashes.
One nit is that hasAbsolutePath (and also the existing readOnly) aren't
final. One suggestion is for initCEN to return a CEN object that defines
array() and hasAbsolutePath() methods that you can use in the
constructor for the initializing the final fields.
-Alan
More information about the core-libs-dev
mailing list