On Thu, 30 Nov 2023 17:21:50 GMT, Brian Burkhalter <b...@openjdk.org> wrote:
>> src/java.base/share/classes/java/io/ByteArrayInputStream.java line 211:
>>
>>> 209: if (len > 0) {
>>> 210: byte[] tmp;
>>> 211: if ("java.io".equals(out.getClass().getPackageName()))
>>
>> Isn't this protection defeated with:
>>
>> ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
>> UntrustedOutputStream uos = new UntrustedOutputStream();
>> bais.transferTo(new java.io.DataOutputStream(uos));
>>
>>
>> Or am I missing something?
>
> Good catch: that in fact defeats the protection.
Changed in 176d5165f7d8f3fa4814c9838abb5d18d9f3c338 not to trust
`FilterOutputStream`s.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16893#discussion_r1411408253
