On 10/07/2018 10:53, Baesken, Matthias wrote:
Hi Alan, thanks for commenting on this .
Jaikiran mentioned that printing just the jar file name and not file with
path might be okay :
I am not a reviewer and neither do I have enough knowledge about whether
jar/file _names_ are considered security sensitive. However, the patch
that's proposed for this change, prints the file _path_ (and not just
the name). That I believe is security sensitive.
What do you think ?
In the ZipFile API, the "name" may include path information but if you
strip that and include just the file name then it should be okay. A
useful way to think about is the information revealed when a HTTP
response serves up a tasty stack trace.
-Alan.
