https://bz.apache.org/bugzilla/show_bug.cgi?id=60963
--- Comment #10 from Thomas Meyer <tho...@m3y3r.de> --- (In reply to Mark Thomas from comment #9) > The one thing that worries me about this patch is the degree to which it > depends on the JVM internals. While this works with the current Oracle JVM, > my concern is for JVMs from other vendors and future Oracle versions. I ha exactly the same concerns! But I was sure about how much change the upstream development would accept. > > I did take a quick look at the ZIP specification [1] and it appears it > should be fairly simple to read the file names and data offsets from the > local file headers. I wonder if writing a parser that extracts just the info > we need and skips the rest might be a better option. Yes, I had the same idea while figuring how to abuse the ZipInputStream for above solution. How hard could it be to parse an header entry... > > Finally, there are a few changes in the patch that aren't strictly related > to fixing the problem at hand. It is generally better to put that sort of > clean-up in a separate patch (no need to re-submit this patch - the comment > is more for future reference). Okay, I always try to separate the relevant changes from unrelated stuff, but sometimes I miss something while preparing a patch. > > [1] https://pkware.cachefly.net/webdocs/casestudies/ Another remark from my side: The JarInputStream is used to parse each i.e. Jar file once per Webapp class loader. I tried to understand the verifying of the manifest and possible signed entries, but I failed. Do you have a better understanding of this topic and can you say if something did break in this area? How to check? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
