On Mon, 18 Nov 2024 00:16:00 GMT, Chen Liang <li...@openjdk.org> wrote:
>> Removed use of SecurityManager to check permissions.
>> Relaxed defensive copying of byte arrays (due to lack of SM)
>
> src/java.base/share/classes/java/lang/String.java line 691:
>
>> 689: System.getSecurityManager() != null) {
>> 690: bytes = Arrays.copyOfRange(bytes, offset, offset +
>> length);
>> 691: offset = 0;
>
> Was this defensive copy particularly important to security managers but has
> no effect for other scenarios?
Application supplied Charsets are not any more or less trusted than any other
class in the application.
So the copy is not (adequately) effective as a defensive measure here.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22168#discussion_r1846753458
