You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by db...@apache.org on 2020/06/14 22:24:35 UTC
[tomee-patch-plugin] 02/02: Strip out jar signatures
This is an automated email from the ASF dual-hosted git repository.
dblevins pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomee-patch-plugin.git
commit eda6fd1cd89fb7d1343c13300ce3cba09cef7f9e
Author: David Blevins <da...@gmail.com>
AuthorDate: Sun Jun 14 14:40:28 2020 -0700
Strip out jar signatures
---
.../org/apache/tomee/patch/core/Transformation.java | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/tomee-patch-core/src/main/java/org/apache/tomee/patch/core/Transformation.java b/tomee-patch-core/src/main/java/org/apache/tomee/patch/core/Transformation.java
index 3448970..12d1480 100644
--- a/tomee-patch-core/src/main/java/org/apache/tomee/patch/core/Transformation.java
+++ b/tomee-patch-core/src/main/java/org/apache/tomee/patch/core/Transformation.java
@@ -81,6 +81,11 @@ public class Transformation {
// TODO: the name may be changed in transformation
final String path = updatePath(oldEntry.getName());
+ if (skip(path)) {
+ IO.copy(zipInputStream, skipped);
+ continue;
+ }
+
/*
* If this entry has been patched, skip it
* We will add the patched version at the end
@@ -137,6 +142,19 @@ public class Transformation {
}
}
+ /**
+ * Skip signed jar public key files. We most definitely
+ * have tampered with the jar.
+ */
+ private boolean skip(final String name) {
+ if (name.startsWith("META-INF/")) {
+ if (name.endsWith(".SF")) return true;
+ if (name.endsWith(".DSA")) return true;
+ if (name.endsWith(".RSA")) return true;
+ }
+ return false;
+ }
+
private String updatePath(final String name) {
return name.replace("resources/javax.faces","resources/jakarta.faces");
}