harmony-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Liang (JIRA)" <j...@apache.org>
Subject [jira] Created: (HARMONY-204) java.util.jar.JarFile should throw Security Exception when getInputStream from a jar file in which the content of main attributes in manifest has been tampered
Date Fri, 17 Mar 2006 04:33:53 GMT
java.util.jar.JarFile should throw Security Exception when getInputStream from a jar file in
which the content of main attributes in manifest has been tampered
---------------------------------------------------------------------------------------------------------------------------------------------------------------

         Key: HARMONY-204
         URL: http://issues.apache.org/jira/browse/HARMONY-204
     Project: Harmony
        Type: Bug
  Components: Classlib  
    Reporter: Richard Liang


According to the new feature in JAR File Specification for java 5.0, .SF signature file which
verifies the manifest has a new algorithm-Digest-Manifest-Main-Attributes entry which verifies
the main attributes of the manifest. If the main attributes are tampered, harmony will not
throw security exception while RI 5.0 will.

The followging test case will demonstrate this issue.

public void test_JarFile_Modified_Manifest_EntryAttributes()
			throws IOException {
		JarFile jarFile = null;
              String path = URLDecoder.decode(this.getClass().getResource(".").getPath(),
				"UTF-8");              
		String fileName = path + "/Modified_Manifest_EntryAttributes.jar";
		jarFile = new JarFile(fileName, true);
		JarEntry jarEntry = jarFile.getJarEntry("META-INF/MANIFEST.MF");
		try {
			jarFile.getInputStream(jarEntry);
			fail("should throw Security Excetpion");
		} catch (SecurityException e) {
			// desired
		}		
	}


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message