8260967: Better jar file validation

Reviewed-by: hchao, valeriep
2025-08-28 07:14:30 +02:00 · 2021-03-16 18:58:55 +00:00 · 2021-03-16 18:58:55 +00:00 · ef9315bead
commit ef9315bead
parent fc38331f44
6 changed files with 50 additions and 18 deletions
--- a/src/java.base/share/classes/java/util/jar/JarFile.java
+++ b/src/java.base/share/classes/java/util/jar/JarFile.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -419,7 +419,13 @@ public class JarFile extends ZipFile {
                if (verify) {
                    byte[] b = getBytes(manEntry);
                    if (!jvInitialized) {
-                        jv = new JarVerifier(b);
+                        if (JUZFA.getManifestNum(this) == 1) {
+                            jv = new JarVerifier(manEntry.getName(), b);
+                        } else {
+                            if (JarVerifier.debug != null) {
+                                JarVerifier.debug.println("Multiple MANIFEST.MF found. Treat JAR file as unsigned");
+                            }
+                        }
                    }
                    man = new Manifest(jv, new ByteArrayInputStream(b), getName());
                } else {
@ -745,7 +751,7 @@ public class JarFile extends ZipFile {
                    mev = new ManifestEntryVerifier
                        (getManifestFromReference());
                }
-                if (name.equals(MANIFEST_NAME)) {
+                if (name.equalsIgnoreCase(MANIFEST_NAME)) {
                    b = jv.manifestRawBytes;
                } else {
                    b = getBytes(e);