8300140: ZipFile.isSignatureRelated returns true for files in META-INF subdirectories

Reviewed-by: weijun
2025-08-28 07:14:30 +02:00 · 2023-01-27 22:47:51 +00:00 · 2023-01-27 22:47:51 +00:00 · 5dfc4ec7d9
commit 5dfc4ec7d9
parent 5c59de52a3
6 changed files with 422 additions and 25 deletions
--- a/src/java.base/share/classes/java/util/jar/JarVerifier.java
+++ b/src/java.base/share/classes/java/util/jar/JarVerifier.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -39,6 +39,8 @@ import sun.security.util.ManifestEntryVerifier;
 import sun.security.util.SignatureFileVerifier;
 import sun.security.util.Debug;

+import static sun.security.util.SignatureFileVerifier.isInMetaInf;
+
 /**
 *
 * @author      Roland Schemers
@ -135,15 +137,14 @@ class JarVerifier {
         */

        if (parsingMeta) {
-            String uname = name.toUpperCase(Locale.ENGLISH);
-            if ((uname.startsWith("META-INF/") ||
-                 uname.startsWith("/META-INF/"))) {
+
+            if (isInMetaInf(name)) {

                if (je.isDirectory()) {
                    mev.setEntry(null, je);
                    return;
                }
-
+                String uname = name.toUpperCase(Locale.ENGLISH);
                if (uname.equals(JarFile.MANIFEST_NAME) ||
                        uname.equals(JarIndex.INDEX_NAME)) {
                    return;