On Wed, Nov 20, 2019 at 2:25 AM Alan Bateman <alan.bate...@oracle.com> wrote: > > On 19/11/2019 23:25, David Lloyd wrote: > > : > > OK, having read the updated specification (thanks Alan!) I'm now quite > > curious why `/C:/helloworld.jar` is considered invalid. It is in fact > > a valid relative URL (colons are allowed in path segments, and the > > leading `/` unambiguously delineates the URL path), and thus it seems > > that it should be considered valid. > This is a awkward area as the parsing here is very security sensitive. > The current implementation is deliberately limited to make it easy to > audit. It was a deliberate decision to disallow relative URLs that > encode a Windows file path containing a drive letter.
OK, but this decision violates both the old and updated spec (and makes it difficult to write code that works in both cases: in situations that reject absolute URLs (javac) and in situations that reject drive letters (this code)), so I would request that this be revisited. > You can of course > use an absolute file URL here and I would expect > "file:/C:/helloworld.jar" to work. The spec was relaxed to allow > absolute file URLs for cases like this. I'm not opposed to expanding the > parsing to allow for more cases but a detailed security review will be > needed on all changes in this area. Is there anything I can do to help? -- - DML
