Hi Alan, thanks for commenting on this . Jaikiran mentioned that printing just the jar file name and not file with path might be okay :
> I am not a reviewer and neither do I have enough knowledge about whether > jar/file _names_ are considered security sensitive. However, the patch > that's proposed for this change, prints the file _path_ (and not just > the name). That I believe is security sensitive. What do you think ? Best regards, Matthias > -----Original Message----- > From: Alan Bateman [mailto:alan.bate...@oracle.com] > Sent: Sonntag, 8. Juli 2018 09:36 > To: Baesken, Matthias <matthias.baes...@sap.com>; core-libs- > d...@openjdk.java.net > Cc: Lindenmaier, Goetz <goetz.lindenma...@sap.com> > Subject: Re: [RFR] 8205525 : Improve exception messages during manifest > parsing of jar archives > > On 06/07/2018 13:44, Baesken, Matthias wrote: > > Hi Alan ,so it looks like JDK-8204233 added a switch (system > > property) to > enable the enhanced socket IOException messages . > > > > That would be an option as well for 8205525 . > Yes, it's documented in conf/security/java.security and something > equivalent could be done here. The giveaway in your original patch is > that it needed a privileged block to create the exception message. > > > > > 8205525 adds the jar file name and the line number info to the > exception message . > > > > In case that only the jar file name would be considered sensitive , I > > would > prefer to just output the line number (and omit the system property ). > > > That should be okay (I can't think of any concerns). > > -Alan
