On Thu, 30 Nov 2023 04:26:44 GMT, jmehrens <d...@openjdk.org> wrote:
>> Pass `ByteArrayInputStream.buf ` directly to the `OutputStream` parameter of
>> `BAIS.transferTo` only if the target stream is in the `java.io` package.
>
> src/java.base/share/classes/java/io/ByteArrayInputStream.java line 211:
>
>> 209: if (len > 0) {
>> 210: byte[] tmp;
>> 211: if ("java.io".equals(out.getClass().getPackageName()))
>
> Isn't this protection defeated with:
>
> ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
> UntrustedOutputStream uos = new UntrustedOutputStream();
> bais.transferTo(new java.io.DataOutputStream(uos));
>
>
> Or am I missing something?
Good catch: that in fact defeats the protection.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16893#discussion_r1411002921
