[RFR] 8205525 : Improve exception messages during manifest parsing of jar archives

Alan Bateman Alan.Bateman at oracle.com
Wed Jul 11 11:12:26 UTC 2018

On 10/07/2018 10:53, Baesken, Matthias wrote:
> Hi Alan, thanks for commenting on this .
> Jaikiran  mentioned that  printing  just  the  jar file name and not file with path  might be okay :
>> I am not a reviewer and neither do I have enough knowledge about whether
>> jar/file _names_ are considered security sensitive. However, the patch
>> that's proposed for this change, prints the file _path_ (and not just
>> the name). That I believe is security sensitive.
> What do you think ?
In the ZipFile API, the "name" may include path information but if you 
strip that and include just the file name then it should be okay. A 
useful way to think about is the information revealed when a HTTP 
response serves up a tasty stack trace.


More information about the core-libs-dev mailing list