Hello Erik,
Thanks for asking on the mailing list first.
We have some work in progress in this area and we will
publish a PR in due course.
best regards,
-- daniel
On 12/11/2024 19:04, Eirik Bjørsnøs wrote:
Hi,
With the SecurityManager permanently disabled, the checking that a JAR
file starts with the LOC signature in URLClassPath.Loader::checkJar has
now become unreachable.
The method was added in JDK-8008593. This issue is not available, so I
can't research why this was added, nor why it depends on a security
manager being set. But it does not itself not use the security manager.
It's not clear what this check protects against (ZIP files are allowed
to have prefix stubs?) nor why the check depends on the security manager
being configured.
I'm inclined to suggest a PR to remove this check with the associated
system property to disable it, plus the supporting code in ZipFile
and JavaUtilZipFileAccess.
But before I do that, can someone with access to history comment on
whether this check should be kept around, but perhaps changed to depend
on something else than the security manager? Currently, this is simply
dead code.
Thanks,
Eirik.
