On Wed, 29 Nov 2023 01:10:29 GMT, Bernd <d...@openjdk.org> wrote: >> Hi Alan, >> >> Thanks for taking a look. I updated the toString() value to the one you >> suggested, and also dropped the specific aspects of the specification. >> >> I am not sure if you have a preference one way or another regarding >> providing the full path versus just the file name, but I can switch the full >> path for just the file name if need be. > > I like the new wording (have no oppinion if absolute path is better).
Hello Justin, > I am not sure if you have a preference one way or another regarding providing > the full path versus just the file name, but I can switch the full path for > just the file name if need be. My opinion is that we should not use the absolute path here. Section 2.1 of secure coding guidelines https://www.oracle.com/java/technologies/javase/seccodeguide.html#2-1 suggests not to include full paths in exception messages. With the proposed change to the toString() method here, which uses absolute paths, I think it would then mean that we would have to review (within the JDK) usages of (explicit or implicit) `ZipFile.toString()` to prevent accidentally including the complete paths in the exceptions, like in the case below: final ZipFile zf = new ZipFile("/home/me/xyz.zip"); ... // do something throw new Exception("failed to handle zipfile " + zf); ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/16643#discussion_r1410455514
