On Tuesday 12 of October 2010 14:00:14 Sim IJskes - QCG wrote: > > It doesn't happen with readUTF(). The first bytes read are the stream > header, (0xac, 0xed, 0, 5), and then the length, then the bytes > composing the string. No parsing of TC constants, and no optional code > paths that can lead to out-of-anything dos attacks. Send it with > writeUTF, read it with a custom function limiting the length of the > string and voila whe have at least made it 1 step more difficult to dos. >
I understand your arguments but I am still not convinced - you somehow have to send a ProxyTrust instance (or any remote object reference) so that you can verify codebase using it. You have to assume what it is going to be anyway. I just don't see a real difference between having custom parsing/instantiation and (limited by not allowing recursive annotations) parsing/instantiation done by ObjectInputStream. If we need this kind of protection I would do it at the lower level - just have a counting InputStream that throws IOException when a certain limit of bytes read is reached (it won't be caught and ignored by malicious code since we don't run any malicious code - at least not yet :) ) Michal
