Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8355940

Detect duplicate entries in jar files with jar --validate

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Unresolved
    • Icon: P4 P4
    • 25
    • tools
    • None
    • jar

      Summary

      Enhance validation of jar file to detect duplicate entries, mismatched central directory and local file headers.

      Problem

      While a jar file created with the jar utility would not have duplicate entries, it is possible to produce a jar file using zip to have duplicate entries. Duplicated entries in a jar file could lead to override desired content, there should be a way to find out such "malformed" jar file for precaution.

      Solution

      Improve jar --validate command to support detection of duplicate or mismatched entries in a jar file.

      Specification

      Usage remains the same. But when a given jar file contains duplicate entries or entries only in central directory or only in local file headers, the jar file is considered invalid and the jar --validate will have non-zero return code.

      As jar file construction will have entries in the central directory recorded in the same order of local file headers, the --validation will also issue warning on that. However, it's still considered valid jar file ane jar --validate will exit with 0.

      Let's take a jar with following content,

      META-INF/MANIFEST.MF
META-INF/AANIFEST.MF
entry1.txt
META-INF/BANIFEST.MF
entry2.txt

      Assuming we modified central directory to have following,

      META-INF/MANIFEST.MF
META-INF/MANIFEST.MF
entry1.txt
META-INF/MANIFEST.MF
entry2.txt

      Then jar --validate on that jar file would produce

      Warning: More than one copy of META-INF/MANIFEST.MF is detected in central directory
Warning: More than one copy of META-INF/MANIFEST.MF is detected in central directory
Warning: Entry META-INF/AANIFEST.MF in local file header is not in central directory
Warning: Entry META-INF/BANIFEST.MF in local file header is not in central directory

      Assuming we modified the local file headers instead, then the output would be

      Warning: More than one copy of META-INF/MANIFEST.MF is detected in local file header
Warning: Central directory and local file header entries are not in the same order
Warning: More than one copy of META-INF/MANIFEST.MF is detected in local file header
Warning: Entry META-INF/AANIFEST.MF in central directory is not in local file header
Warning: Entry META-INF/BANIFEST.MF in central directory is not in local file header

      Note the ordering warning message, this is because the expected order from central directory is to have AANIFEST.MF but see the entry1.txt first instead. The jar --list would have output like following

      META-INF/MANIFEST.MF
META-INF/AANIFEST.MF
entry1.txt
META-INF/BANIFEST.MF
entry2.txt

      Assuming we modified the local file headers by change the order of AANIFEST.MF and BANIFEST.MF, the output would be

      Warning: Central directory and local file header entries are not in the same order

            henryjen Henry Jen
            henryjen Henry Jen
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: