You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@harmony.apache.org by "Richard Liang (JIRA)" <ji...@apache.org> on 2006/04/03 11:28:43 UTC
[jira] Created: (HARMONY-295) java.util.jar.JarInputStream does not
throw Security Exception according to Java 5.0 Spec
java.util.jar.JarInputStream does not throw Security Exception according to Java 5.0 Spec
-----------------------------------------------------------------------------------------
Key: HARMONY-295
URL: http://issues.apache.org/jira/browse/HARMONY-295
Project: Harmony
Type: Bug
Components: Classlib
Reporter: Richard Liang
Priority: Minor
According to the new feature in JAR File Specification for java 5.0, .SF signature file which verifies the manifest has a new algorithm. If the main attributes are tampered, harmony will not throw security exception while RI 5.0 will.
Here is the test code to demo this issue:
public void test_JarInputStream_Modified_Manifest_MainAttributes()
throws IOException {
String path = URLDecoder.decode(this.getClass().getResource(".")
.getPath(), "UTF-8");
FileInputStream fin = new FileInputStream(path
+ "/Modified_Manifest_MainAttributes.jar");
ZipEntry zipEntry = null;
JarInputStream jin = new JarInputStream(fin, true);
final int indexofDSA = 2;
final int totalEntries = 4;
int count = 0;
while (count == 0 || zipEntry != null) {
count++;
try {
zipEntry = jin.getNextEntry();
if (count == indexofDSA + 1)
fail("Should throw Security Exception");
} catch (SecurityException e) {
if (count != indexofDSA + 1)
throw e;
}
}
assertEquals(totalEntries + 2, count);
jin.close();
fin.close();
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Assigned: (HARMONY-295) java.util.jar.JarInputStream does
not throw Security Exception according to Java 5.0 Spec
Posted by "George Harley (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/HARMONY-295?page=all ]
George Harley reassigned HARMONY-295:
-------------------------------------
Assign To: George Harley
> java.util.jar.JarInputStream does not throw Security Exception according to Java 5.0 Spec
> -----------------------------------------------------------------------------------------
>
> Key: HARMONY-295
> URL: http://issues.apache.org/jira/browse/HARMONY-295
> Project: Harmony
> Type: Bug
> Components: Classlib
> Reporter: Richard Liang
> Assignee: George Harley
> Priority: Minor
> Attachments: Harmony295.zip, Modified_Manifest_MainAttributes.jar
>
> According to the new feature in JAR File Specification for java 5.0, .SF signature file which verifies the manifest has a new algorithm. If the main attributes are tampered, harmony will not throw security exception while RI 5.0 will.
> Here is the test code to demo this issue:
> public void test_JarInputStream_Modified_Manifest_MainAttributes()
> throws IOException {
> String path = URLDecoder.decode(this.getClass().getResource(".")
> .getPath(), "UTF-8");
> FileInputStream fin = new FileInputStream(path
> + "/Modified_Manifest_MainAttributes.jar");
> ZipEntry zipEntry = null;
> JarInputStream jin = new JarInputStream(fin, true);
> final int indexofDSA = 2;
> final int totalEntries = 4;
> int count = 0;
> while (count == 0 || zipEntry != null) {
> count++;
> try {
> zipEntry = jin.getNextEntry();
> if (count == indexofDSA + 1)
> fail("Should throw Security Exception");
> } catch (SecurityException e) {
> if (count != indexofDSA + 1)
> throw e;
> }
> }
> assertEquals(totalEntries + 2, count);
> jin.close();
> fin.close();
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (HARMONY-295) java.util.jar.JarInputStream does not
throw Security Exception according to Java 5.0 Spec
Posted by "Richard Liang (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/HARMONY-295?page=all ]
Richard Liang updated HARMONY-295:
----------------------------------
Attachment: Modified_Manifest_MainAttributes.jar
This is the target jar to be tested. Please put it at the same location of the test case.
The test case will pass on RI 5.0 and fail on Harmony
> java.util.jar.JarInputStream does not throw Security Exception according to Java 5.0 Spec
> -----------------------------------------------------------------------------------------
>
> Key: HARMONY-295
> URL: http://issues.apache.org/jira/browse/HARMONY-295
> Project: Harmony
> Type: Bug
> Components: Classlib
> Reporter: Richard Liang
> Priority: Minor
> Attachments: Modified_Manifest_MainAttributes.jar
>
> According to the new feature in JAR File Specification for java 5.0, .SF signature file which verifies the manifest has a new algorithm. If the main attributes are tampered, harmony will not throw security exception while RI 5.0 will.
> Here is the test code to demo this issue:
> public void test_JarInputStream_Modified_Manifest_MainAttributes()
> throws IOException {
> String path = URLDecoder.decode(this.getClass().getResource(".")
> .getPath(), "UTF-8");
> FileInputStream fin = new FileInputStream(path
> + "/Modified_Manifest_MainAttributes.jar");
> ZipEntry zipEntry = null;
> JarInputStream jin = new JarInputStream(fin, true);
> final int indexofDSA = 2;
> final int totalEntries = 4;
> int count = 0;
> while (count == 0 || zipEntry != null) {
> count++;
> try {
> zipEntry = jin.getNextEntry();
> if (count == indexofDSA + 1)
> fail("Should throw Security Exception");
> } catch (SecurityException e) {
> if (count != indexofDSA + 1)
> throw e;
> }
> }
> assertEquals(totalEntries + 2, count);
> jin.close();
> fin.close();
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Resolved: (HARMONY-295) java.util.jar.JarInputStream does
not throw Security Exception according to Java 5.0 Spec
Posted by "George Harley (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/HARMONY-295?page=all ]
George Harley resolved HARMONY-295:
-----------------------------------
Resolution: Fixed
Hi Richard,
Changes applied to SVN in revision 391368. New tests pass fine against 5.0 RI and Harmony.
Please could you verify that the patch has been applied as expected.
Thanks very much for this patch.
Best regards,
George
> java.util.jar.JarInputStream does not throw Security Exception according to Java 5.0 Spec
> -----------------------------------------------------------------------------------------
>
> Key: HARMONY-295
> URL: http://issues.apache.org/jira/browse/HARMONY-295
> Project: Harmony
> Type: Bug
> Components: Classlib
> Reporter: Richard Liang
> Assignee: George Harley
> Priority: Minor
> Attachments: Harmony295.zip, Modified_Manifest_MainAttributes.jar
>
> According to the new feature in JAR File Specification for java 5.0, .SF signature file which verifies the manifest has a new algorithm. If the main attributes are tampered, harmony will not throw security exception while RI 5.0 will.
> Here is the test code to demo this issue:
> public void test_JarInputStream_Modified_Manifest_MainAttributes()
> throws IOException {
> String path = URLDecoder.decode(this.getClass().getResource(".")
> .getPath(), "UTF-8");
> FileInputStream fin = new FileInputStream(path
> + "/Modified_Manifest_MainAttributes.jar");
> ZipEntry zipEntry = null;
> JarInputStream jin = new JarInputStream(fin, true);
> final int indexofDSA = 2;
> final int totalEntries = 4;
> int count = 0;
> while (count == 0 || zipEntry != null) {
> count++;
> try {
> zipEntry = jin.getNextEntry();
> if (count == indexofDSA + 1)
> fail("Should throw Security Exception");
> } catch (SecurityException e) {
> if (count != indexofDSA + 1)
> throw e;
> }
> }
> assertEquals(totalEntries + 2, count);
> jin.close();
> fin.close();
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (HARMONY-295) java.util.jar.JarInputStream does
not throw Security Exception according to Java 5.0 Spec
Posted by "Richard Liang (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/HARMONY-295?page=comments#action_12373215 ]
Richard Liang commented on HARMONY-295:
---------------------------------------
Hello George,
Looks fine. Please close this issue. Thanks a lot.
> java.util.jar.JarInputStream does not throw Security Exception according to Java 5.0 Spec
> -----------------------------------------------------------------------------------------
>
> Key: HARMONY-295
> URL: http://issues.apache.org/jira/browse/HARMONY-295
> Project: Harmony
> Type: Bug
> Components: Classlib
> Reporter: Richard Liang
> Assignee: George Harley
> Priority: Minor
> Attachments: Harmony295.zip, Modified_Manifest_MainAttributes.jar
>
> According to the new feature in JAR File Specification for java 5.0, .SF signature file which verifies the manifest has a new algorithm. If the main attributes are tampered, harmony will not throw security exception while RI 5.0 will.
> Here is the test code to demo this issue:
> public void test_JarInputStream_Modified_Manifest_MainAttributes()
> throws IOException {
> String path = URLDecoder.decode(this.getClass().getResource(".")
> .getPath(), "UTF-8");
> FileInputStream fin = new FileInputStream(path
> + "/Modified_Manifest_MainAttributes.jar");
> ZipEntry zipEntry = null;
> JarInputStream jin = new JarInputStream(fin, true);
> final int indexofDSA = 2;
> final int totalEntries = 4;
> int count = 0;
> while (count == 0 || zipEntry != null) {
> count++;
> try {
> zipEntry = jin.getNextEntry();
> if (count == indexofDSA + 1)
> fail("Should throw Security Exception");
> } catch (SecurityException e) {
> if (count != indexofDSA + 1)
> throw e;
> }
> }
> assertEquals(totalEntries + 2, count);
> jin.close();
> fin.close();
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (HARMONY-295) java.util.jar.JarInputStream does not
throw Security Exception according to Java 5.0 Spec
Posted by "Richard Liang (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/HARMONY-295?page=all ]
Richard Liang updated HARMONY-295:
----------------------------------
Attachment: Harmony295.zip
Hello,
Here is the patch for this issue. Please be kindly informed that this patch depends on Harmony-204. So please apply patch for Harmony-204 first :-)
Thanks a lot.
> java.util.jar.JarInputStream does not throw Security Exception according to Java 5.0 Spec
> -----------------------------------------------------------------------------------------
>
> Key: HARMONY-295
> URL: http://issues.apache.org/jira/browse/HARMONY-295
> Project: Harmony
> Type: Bug
> Components: Classlib
> Reporter: Richard Liang
> Priority: Minor
> Attachments: Harmony295.zip, Modified_Manifest_MainAttributes.jar
>
> According to the new feature in JAR File Specification for java 5.0, .SF signature file which verifies the manifest has a new algorithm. If the main attributes are tampered, harmony will not throw security exception while RI 5.0 will.
> Here is the test code to demo this issue:
> public void test_JarInputStream_Modified_Manifest_MainAttributes()
> throws IOException {
> String path = URLDecoder.decode(this.getClass().getResource(".")
> .getPath(), "UTF-8");
> FileInputStream fin = new FileInputStream(path
> + "/Modified_Manifest_MainAttributes.jar");
> ZipEntry zipEntry = null;
> JarInputStream jin = new JarInputStream(fin, true);
> final int indexofDSA = 2;
> final int totalEntries = 4;
> int count = 0;
> while (count == 0 || zipEntry != null) {
> count++;
> try {
> zipEntry = jin.getNextEntry();
> if (count == indexofDSA + 1)
> fail("Should throw Security Exception");
> } catch (SecurityException e) {
> if (count != indexofDSA + 1)
> throw e;
> }
> }
> assertEquals(totalEntries + 2, count);
> jin.close();
> fin.close();
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (HARMONY-295) java.util.jar.JarInputStream does not
throw Security Exception according to Java 5.0 Spec
Posted by "George Harley (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/HARMONY-295?page=all ]
George Harley closed HARMONY-295:
---------------------------------
Verified by Richard.
> java.util.jar.JarInputStream does not throw Security Exception according to Java 5.0 Spec
> -----------------------------------------------------------------------------------------
>
> Key: HARMONY-295
> URL: http://issues.apache.org/jira/browse/HARMONY-295
> Project: Harmony
> Type: Bug
> Components: Classlib
> Reporter: Richard Liang
> Assignee: George Harley
> Priority: Minor
> Attachments: Harmony295.zip, Modified_Manifest_MainAttributes.jar
>
> According to the new feature in JAR File Specification for java 5.0, .SF signature file which verifies the manifest has a new algorithm. If the main attributes are tampered, harmony will not throw security exception while RI 5.0 will.
> Here is the test code to demo this issue:
> public void test_JarInputStream_Modified_Manifest_MainAttributes()
> throws IOException {
> String path = URLDecoder.decode(this.getClass().getResource(".")
> .getPath(), "UTF-8");
> FileInputStream fin = new FileInputStream(path
> + "/Modified_Manifest_MainAttributes.jar");
> ZipEntry zipEntry = null;
> JarInputStream jin = new JarInputStream(fin, true);
> final int indexofDSA = 2;
> final int totalEntries = 4;
> int count = 0;
> while (count == 0 || zipEntry != null) {
> count++;
> try {
> zipEntry = jin.getNextEntry();
> if (count == indexofDSA + 1)
> fail("Should throw Security Exception");
> } catch (SecurityException e) {
> if (count != indexofDSA + 1)
> throw e;
> }
> }
> assertEquals(totalEntries + 2, count);
> jin.close();
> fin.close();
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira