On Wed, 29 Nov 2023 22:38:59 GMT, Markus KARG <d...@openjdk.org> wrote:
>> src/java.base/share/classes/java/io/BufferedInputStream.java line 647:
>>
>>> 645: if (avail > 0) {
>>> 646: // trust all OutputStreams from java.io
>>> 647: if (out.getClass().getPackageName() ==
>>> BufferedInputStream.class.getPackageName()) {
>>
>> I don't think Class::getPackageName documents that the returned String is
>> intern so I wonder if the == check will lead to questions and suggestions of
>> a bug. Classes with names starting with "java." can only be defined to the
>> boot or platform class loader (details in the ClassLoader API docs) so you
>> could just check if the package name equals "java.io".
>
> Do we only want to trust java.io or anything starting with java.*?
I don't think checking if the package is java.io is secure:
ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
BufferedInputStream bis = new BufferedInputStream(bais);
UntrustedOutputStream uos = new UntrustedOutputStream();
bis.transferTo(new java.io.DataOutputStream(uos));
You have to know that it is in the java.io package and it doesn't wrap another
stream.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16879#discussion_r1410142200
