Re: RFR: 8321053: Use ByteArrayInputStream.buf directly when parameter of transferTo() is trusted [v4]
On Tue, 5 Dec 2023 12:58:45 GMT, Markus KARG wrote: >> I suspect it's left over from a previous iteration. In any case, limiting it >> to a small number of output streams makes this easier to look at. BAOS and >> FOS seem okay, POP seems okay too but legacy and not interesting. > >> I suspect it's left over from a previous iteration. In any case, limiting it >> to a small number of output streams makes this easier to look at. BAOS and >> FOS seem okay, POP seems okay too but legacy and not interesting. > > Agreed for a rather short list of explicitly whitelisted implementations. We > should get rid of the package check. I checked all the `OutputStreams` in the list for trustworthiness. The package check is vestigial; will remove. It could be useful if multiple packages were involved with multiple trusted classes in each. - PR Review Comment: https://git.openjdk.org/jdk/pull/16893#discussion_r1415944621
Re: RFR: 8321053: Use ByteArrayInputStream.buf directly when parameter of transferTo() is trusted [v4]
On Tue, 5 Dec 2023 08:27:09 GMT, Alan Bateman wrote: > I suspect it's left over from a previous iteration. In any case, limiting it > to a small number of output streams makes this easier to look at. BAOS and > FOS seem okay, POP seems okay too but legacy and not interesting. Agreed for a rather short list of explicitly whitelisted implementations. We should get rid of the package check. - PR Review Comment: https://git.openjdk.org/jdk/pull/16893#discussion_r1415569212
Re: RFR: 8321053: Use ByteArrayInputStream.buf directly when parameter of transferTo() is trusted [v4]
On Tue, 5 Dec 2023 07:37:39 GMT, Markus KARG wrote:
>> Brian Burkhalter has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> 8321053: instanceof -> ==
>
> src/java.base/share/classes/java/io/ByteArrayInputStream.java line 213:
>
>> 211: byte[] tmp;
>> 212: Class outClass = out.getClass();
>> 213: if (outClass.getPackageName().equals("java.io") &&
>
> For what do we need this string-based check here?
I suspect it's left over from a previous iteration. In any case, limiting it to
a small number of output streams makes this easier to look at. BAOS and FOS
seem okay, POP seems okay too but legacy and not interesting.
-
PR Review Comment: https://git.openjdk.org/jdk/pull/16893#discussion_r1415121241
Re: RFR: 8321053: Use ByteArrayInputStream.buf directly when parameter of transferTo() is trusted [v4]
On Mon, 4 Dec 2023 20:16:12 GMT, Brian Burkhalter wrote:
>> Pass `ByteArrayInputStream.buf ` directly to the `OutputStream` parameter of
>> `BAIS.transferTo` only if the target stream is in the `java.io` package.
>
> Brian Burkhalter has updated the pull request incrementally with one
> additional commit since the last revision:
>
> 8321053: instanceof -> ==
src/java.base/share/classes/java/io/ByteArrayInputStream.java line 213:
> 211: byte[] tmp;
> 212: Class outClass = out.getClass();
> 213: if (outClass.getPackageName().equals("java.io") &&
For what do we need this string-based check here?
-
PR Review Comment: https://git.openjdk.org/jdk/pull/16893#discussion_r1415005911
Re: RFR: 8321053: Use ByteArrayInputStream.buf directly when parameter of transferTo() is trusted [v4]
> Pass `ByteArrayInputStream.buf ` directly to the `OutputStream` parameter of > `BAIS.transferTo` only if the target stream is in the `java.io` package. Brian Burkhalter has updated the pull request incrementally with one additional commit since the last revision: 8321053: instanceof -> == - Changes: - all: https://git.openjdk.org/jdk/pull/16893/files - new: https://git.openjdk.org/jdk/pull/16893/files/29ee889b..7aa37667 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk=16893=03 - incr: https://webrevs.openjdk.org/?repo=jdk=16893=02-03 Stats: 5 lines in 1 file changed: 1 ins; 0 del; 4 mod Patch: https://git.openjdk.org/jdk/pull/16893.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/16893/head:pull/16893 PR: https://git.openjdk.org/jdk/pull/16893
