On 29/08/2018 03:09, Xueming Shen wrote:
Hi,
Please help review the proposed change for JDK-8197398.
issue: https://bugs.openjdk.java.net/browse/JDK-8197398
webrev: http://cr.openjdk.java.net/~sherman/8197398/webrev
A little background:
The existing zipfs has an assumption that the "normal/healthy/secured"
zip/jar file should not
include any entry that has an absolute path, root "/" included.
Various jar/zip tools have been
fixed/patched in the past years to avoid create such a jar/zip file
for security reason. But there
are zip/jar files in the wild that do include absolute paths and do
include a "/" root sometime, the
offending jar file included in the bug report is just one of those.
The approach looks okay, I think just wonder if the test could be
expanded to cover entry with repeated leading slashes.
One nit is that hasAbsolutePath (and also the existing readOnly) aren't
final. One suggestion is for initCEN to return a CEN object that defines
array() and hasAbsolutePath() methods that you can use in the
constructor for the initializing the final fields.
-Alan
