-
Type:
Bug
-
Resolution: Fixed
-
Priority:
P4
-
Affects Version/s: None
-
Component/s: security-libs
-
None
-
b08
Some call sites of SignatureFileVerifier.isBlockOrSF fail to check that files reside in META-INF directly, and not in a subdirectory of META-INF.
Note that the Jar File Specification does explicitly say:
"Note that if such files are located in META-INF subdirectories, they are not considered signature-related"
Note that the Jar File Specification does explicitly say:
"Note that if such files are located in META-INF subdirectories, they are not considered signature-related"
