On 11/01/2019 18:35, Brent Christian wrote:
Hi,
Please review my change for 8216401[1].
Webrev:
http://cr.openjdk.java.net/~bchristi/8216401/webrev-01/
The Class-Path section of the JAR spec[2] states that entries must be
relative URLs, however this hasn't been enforced for most of Java's
history. There is now code to enforce this, though it is disabled by
default for compatibility.
It has come to light that there are some widely-used libraries that
misuse the Class-Path attribute, by including absolute "file:" URL
entries. In the interest of compatibility with this long-standing
behavior, "file:" entries in the Class-Path of JARs loaded from the
local disk should be allowed.
This change will not affect the current default behavior, but
hopefully in the near future, the Class-Path enforcement code can be
enabled by default, and the change be reflected in the JAR spec[3].
The changes to URLClassPath look okay. When it comes to enabling the
checking by default then we should do it as early as possible in a
release to get as much testing as possible. We've seen this attribute
been misused by tools that add it with a value of an absolute URLs or
even file paths rather than URLs. It's possible these tools are
inserting file paths with Windows drive letters that might fall foul of
the checking. Also there might be cases where there is subtle redirects
to HTTP servers to fetch dependences, something that should never have
worked but there may be environments that depend on this broken behavior.
-Alan
