On 2018-07-03, Jaikiran Pai wrote: > I did some testing manually for this new method, with both symlinks > and non-symlinks with both the string check version and the > getParent() version. In both of those, I couldn't get it to break in > any odd ways (which is a good thing). It also means that my theory > that the string comparison may not always be a best idea is just > theoretical. However, I just feel a bit more comfortable seeing the > getParent() version since that then removes any kind of file separator > or odd backslash/frontslash permutations that we may not have thought > of and instead leaves it to the JRE implementation to deal with > it. Again, this is me being a bit paranoid than any real demoable > issue with the string comparison code.
I welcome paranoia in particular if security is involved. :-) > At this point, I think these commits address the issue that we sought > out to fix. So unless someone else sees any issues, I think we can go > ahead and do the release that you had planned for. Thanks. I'll let it sit for a bit longer and will cut release candidates later the coming days. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
