On Mon, Nov 29, 2010 at 11:10 PM, Platonides <platoni...@gmail.com> wrote: > Bryan Tong Minh wrote: >> On Mon, Nov 29, 2010 at 9:29 PM, Roan Kattouw <roan.katt...@gmail.com> wrote: >>> "An alternative [to rejecting all ZIP files] would be to parse the >>> entire zip directory and to reject any archives that contain a file >>> with a .class extension. I can’t vouch for this method. **If you did >>> this, the zip library you used would have to be exactly as tolerant of >>> zip format errors as the one used by Java.** It would probably be best >>> to actually shell out to Java to do the test." >>> >> >> I was thinking about this. There appears to be no option to the java >> command line client to only check a file without executing. An option >> would be to invoke the java debugger (jdb), which initially breaks at >> the first instruction and presumably fails if the file is not a valid >> jar. Still sounds nasty though, plus the fact that jdb is not a >> generally installed program. >> >> >> Bryan > > Note that you can't simply check (or reverse-engineer) that JVM X > doesn't treat it as a jar, since it could be detected in X-1 or X+1. > So there should be a range of still in use JVMs to assert. > I think that the most recent version should be sufficient. I don't think Java would break backwards compatibility: users wouldn't be happy if their old jar suddenly stops working on a new JVM.
Bryan _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
