On Thu, 30 Nov 2023 08:58:18 GMT, Alan Bateman <al...@openjdk.org> wrote:
>> I don't think checking if the package is java.io is secure:
>>
>> ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
>> BufferedInputStream bis = new BufferedInputStream(bais);
>> UntrustedOutputStream uos = new UntrustedOutputStream();
>> bis.transferTo(new java.io.DataOutputStream(uos));
>>
>> You have to know that it is in the java.io package and it doesn't wrap
>> another stream.
>
>> You have to know that it is in the java.io package and it doesn't wrap
>> another stream.
>
> That is a good point. In the previous work on this override, we converged on
> the current implementation to not leak the internal byte[] to the target. It
> could be special cased for trusted targets but at the cost of auditing and
> complexity. So more thought needed on this, I don't think the current change
> can be integrated.
What do you think of adding `OutputStream extends WritableByteChannel`, so
`transferTo` could be implemented with `if (target instanceof
WritableByteChannel) { target.write(ByteBuffer.wrap(buf, off,
len).asReadOnly()); }`?
Read-only byte buffer will not allow modifying the data in the buffer, it would
eliminate buffer copies, and adding `write(ByteBuffer)` to `OutputStream` seems
reasonable.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16879#discussion_r1410416823
