Re: [PATCH] for error message not containing file name of jar with bad manifest

Tue, 08 Jan 2019 10:10:27 -0800

In this case, the caller is passing in the filename through the public JarFile API so as long as it is not modified it should be ok. The concerns I raised previously are situations where the caller did not pass in the file or the JDK converts a relative path to an absolute path, which could reveal sensitive details about the filesystem. 

--Sean

On 1/8/19 9:27 AM, Roger Riggs wrote:

Hi,
Even though this is a bug fix, the security concerns about putting the full pathnames of files in exceptions should be considered.  I would be fine with putting only the filename (no path) in the message. 

If a typo is in scope:  line 89 "occured" -> "occurred".

Thanks, Roger


On 01/08/2019 07:15 AM, Lance Andersen wrote:

Hi Philipp,

I created JDK-8216362 and will look to address later today or tomorrow

Best
Lance
On Jan 8, 2019, at 1:24 AM, Philipp Kunz <philipp.k...@paratix.ch> wrote: 

Hi Lance,
I also see fit for a new bug. But I cannot create it now because I cannot log in to Jira and don't know how else to create one and I don't have the slightest idea how to get such a privilege. Could you give me a hint how to proceed? 

Philipp

On Mon, 2019-01-07 at 18:05 -0500, Lance Andersen wrote:

Hi Philipp,
I would like to suggest a new bug for this so if you can do that I can sponsor the proposed change 

Thank you
On Jan 7, 2019, at 5:39 PM, Philipp Kunz <philipp.k...@paratix.ch <mailto:philipp.k...@paratix.ch>> wrote: 

<8205525.patch>
<oracle_sig_logo.gif> <http://oracle.com/us/design/oracle-email-sig-198324.gif>   <http://oracle.com/us/design/oracle-email-sig-198324.gif> <http://oracle.com/us/design/oracle-email-sig-198324.gif>   <http://oracle.com/us/design/oracle-email-sig-198324.gif>Lance Andersen| Principal Member of Technical Staff | +1.781.442.2037 
Oracle Java Engineering
1 Network Drive
Burlington, MA 01803
lance.ander...@oracle.com <mailto:lance.ander...@oracle.com>




  <http://oracle.com/us/design/oracle-email-sig-198324.gif>
  <http://oracle.com/us/design/oracle-email-sig-198324.gif> <http://oracle.com/us/design/oracle-email-sig-198324.gif>   <http://oracle.com/us/design/oracle-email-sig-198324.gif>Lance Andersen| Principal Member of Technical Staff | +1.781.442.2037 
Oracle Java Engineering
1 Network Drive
Burlington, MA 01803
lance.ander...@oracle.com <mailto:lance.ander...@oracle.com>

Reply via email to