Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8300140

ZipFile.isSignatureRelated returns true for files in META-INF subdirectories

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 21
    • None
    • security-libs
    • None

      Some call sites of SignatureFileVerifier.isBlockOrSF fail to check that files reside in META-INF directly, and not in a subdirectory of META-INF.

      Note that the Jar File Specification does explicitly say:

      "Note that if such files are located in META-INF subdirectories, they are not considered signature-related"

            weijun Weijun Wang
            mullan Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: