On Tue, 10 May 2022 16:58:03 GMT, Lance Andersen <lan...@openjdk.org> wrote:
>>> I think this would be OK, but would get to get someone from our security >>> team to bless it. >> >> It's print the entry name, I don't think it is leaking the file path to the >> zip file. > >> > I think this would be OK, but would get to get someone from our security >> > team to bless it. >> >> It's print the entry name, I don't think it is leaking the file path to the >> zip file. > > I think you are probably right I am probably being overly cautious > > > > > @LanceAndersen @AlanBateman do you think adding the entry name in the > > > > > exception in ZipFileSystem is ok? If so, should it maybe go into a > > > > > different patch? > > > > > > > > > > > > It should be okay as this is the name of an entry in the zip file. It > > > > might be a bit cleaner to add a method to IndexNode to return the name > > > > as String. Alternatively maybe its toString could be changed to drop > > > > the index (I would need to dig into the history to find out if there is > > > > really any use for the index in the String representation). > > > > > > > > > I think this would be OK, but would get to get someone from our security > > > team to bless it. > > > It might not be a bad idea to add a method to return the name as a > > > String. There are a couple of places where we do a new String(name) so > > > would economize any future changes > > > > > > Sounds fair. @LanceAndersen, can you please ask the security team about > > their ok then and let me know? In case their answer is a yes, I'll work on > > implementing the suggestion to return the name as String. Shall I maybe do > > the zipfs change in a different PR then? The more important change in the > > context of javac is printing out the jar name in javac itself. > > Already did ;-) so hopefully they will share their thoughts soon. I think it would probably be good for a separate PR for the ZipFS change as it keeps it a bit clearer ------------- PR: https://git.openjdk.java.net/jdk/pull/8616
