You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@harmony.apache.org by "George Harley (JIRA)" <ji...@apache.org> on 2006/04/04 14:08:44 UTC

[jira] Resolved: (HARMONY-204) java.util.jar.JarFile should throw Security Exception when getInputStream from a jar file in which the content of main attributes in manifest has been tampered

     [ http://issues.apache.org/jira/browse/HARMONY-204?page=all ]
     
George Harley resolved HARMONY-204:
-----------------------------------

    Resolution: Fixed

Hi Richard, 

Updated patch fixes the exceptions seen yesterday, thanks. New tests pass against both the latest Harmony and the 5.0 RI.  

Changes committed in SVN revision 391283. Please could you verify that these have been applied as expected. 

Many thanks, 
George

> java.util.jar.JarFile should throw Security Exception when getInputStream from a jar file in which the content of main attributes in manifest has been tampered
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>          Key: HARMONY-204
>          URL: http://issues.apache.org/jira/browse/HARMONY-204
>      Project: Harmony
>         Type: Bug

>   Components: Classlib
>     Reporter: Richard Liang
>     Assignee: George Harley
>  Attachments: Modified_Manifest_MainAttributes.jar, harmony204.updated.zip, harmony204.zip
>
> According to the new feature in JAR File Specification for java 5.0, .SF signature file which verifies the manifest has a new algorithm-Digest-Manifest-Main-Attributes entry which verifies the main attributes of the manifest. If the main attributes are tampered, harmony will not throw security exception while RI 5.0 will.
> The followging test case will demonstrate this issue.
> public void test_JarFile_Modified_Manifest_EntryAttributes()
> 			throws IOException {
> 		JarFile jarFile = null;
>               String path = URLDecoder.decode(this.getClass().getResource(".").getPath(),
> 				"UTF-8");              
> 		String fileName = path + "/Modified_Manifest_EntryAttributes.jar";
> 		jarFile = new JarFile(fileName, true);
> 		JarEntry jarEntry = jarFile.getJarEntry("META-INF/MANIFEST.MF");
> 		try {
> 			jarFile.getInputStream(jarEntry);
> 			fail("should throw Security Excetpion");
> 		} catch (SecurityException e) {
> 			// desired
> 		}		
> 	}

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira