Thanks Phillipp, I had already updated the test to account for both scenarios. I will push out the webrev tomorrow
Best Lance > On Jan 8, 2019, at 7:17 PM, Philipp Kunz <philipp.k...@paratix.ch> wrote: > > Manifest.read throws an exception with the jar file name passed to the > constructor the manifest was constructed with and not passed to the call to > the read that throws the exception because the jarFilename variable is not > reset after successful construction with read and will be used by subsequent > calls to read if read is called (again) after the manifest has been > constructed. The call to the constructor could be in a different context than > the call to read and the jar file name could therefore be exposed in an > unexpected context. After I first thought it was just annoying to get an > unrelated jar file name in an exception message I see now a security concern > as well. > > At first glance and in terms of expectable code changes to the questionable > constructor of Manifest the above mentioned seems to be overlapping with > issue JDK-8216362 but then JDK-8216362 is about the jar file name missing in > an error message when it should be present and not the other way round. > Attached is a patch for JDK-8216362 as it is described at the moment. > > Philipp > > > On Tue, 2019-01-08 at 13:07 -0500, Sean Mullan wrote: >> In this case, the caller is passing in the filename through the public >> JarFile API so as long as it is not modified it should be ok. The >> concerns I raised previously are situations where the caller did not >> pass in the file or the JDK converts a relative path to an absolute >> path, which could reveal sensitive details about the filesystem. >> >> --Sean > <8216362.patch> <http://oracle.com/us/design/oracle-email-sig-198324.gif> <http://oracle.com/us/design/oracle-email-sig-198324.gif> <http://oracle.com/us/design/oracle-email-sig-198324.gif> <http://oracle.com/us/design/oracle-email-sig-198324.gif>Lance Andersen| Principal Member of Technical Staff | +1.781.442.2037 Oracle Java Engineering 1 Network Drive Burlington, MA 01803 lance.ander...@oracle.com <mailto:lance.ander...@oracle.com>
