[RFR] 8205525 : Improve exception messages during manifest parsing of jar archives
matthias.baesken at sap.com
Mon Jul 16 13:53:29 UTC 2018
Hello, after latest comments from Alan and Jaikiran I created a new webrev :
The jar file path is now printed in case jdk.includeInExceptions contains jarpath (this approach is "borrowed" from the enhanced socket exceptions ) .
The line number is always printed .
Best regards, Matthias
> -----Original Message-----
> From: Baesken, Matthias
> Sent: Dienstag, 10. Juli 2018 11:53
> To: 'Alan Bateman' <Alan.Bateman at oracle.com>; core-libs-
> dev at openjdk.java.net; 'jai.forums2013 at gmail.com'
> <jai.forums2013 at gmail.com>
> Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>
> Subject: RE: [RFR] 8205525 : Improve exception messages during manifest
> parsing of jar archives
> Hi Alan, thanks for commenting on this .
> Jaikiran mentioned that printing just the jar file name and not file with
> path might be okay :
> > I am not a reviewer and neither do I have enough knowledge about
> > jar/file _names_ are considered security sensitive. However, the patch
> > that's proposed for this change, prints the file _path_ (and not just
> > the name). That I believe is security sensitive.
> What do you think ?
> Best regards, Matthias
> > -----Original Message-----
> > From: Alan Bateman [mailto:Alan.Bateman at oracle.com]
> > Sent: Sonntag, 8. Juli 2018 09:36
> > To: Baesken, Matthias <matthias.baesken at sap.com>; core-libs-
> > dev at openjdk.java.net
> > Cc: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>
> > Subject: Re: [RFR] 8205525 : Improve exception messages during manifest
> > parsing of jar archives
> > On 06/07/2018 13:44, Baesken, Matthias wrote:
> > > Hi Alan ,so it looks like JDK-8204233 added a switch (system property)
> > enable the enhanced socket IOException messages .
> > >
> > > That would be an option as well for 8205525 .
> > Yes, it's documented in conf/security/java.security and something
> > equivalent could be done here. The giveaway in your original patch is
> > that it needed a privileged block to create the exception message.
> > >
> > > 8205525 adds the jar file name and the line number info to the
> > exception message .
> > >
> > > In case that only the jar file name would be considered sensitive , I
> > prefer to just output the line number (and omit the system property ).
> > >
> > That should be okay (I can't think of any concerns).
> > -Alan
More information about the core-libs-dev