Re: RFR: 8321053: Use ByteArrayInputStream.buf directly when parameter of transferTo() is trusted [v4]
On Tue, 5 Dec 2023 12:58:45 GMT, Markus KARG wrote: >> I suspect it's left over from a previous iteration. In any case, limiting it >> to a small number of output streams makes this easier to look at. BAOS and >> FOS seem okay, POP seems okay too but legacy and not interesting. > >> I suspect it's left over from a previous iteration. In any case, limiting it >> to a small number of output streams makes this easier to look at. BAOS and >> FOS seem okay, POP seems okay too but legacy and not interesting. > > Agreed for a rather short list of explicitly whitelisted implementations. We > should get rid of the package check. I checked all the `OutputStreams` in the list for trustworthiness. The package check is vestigial; will remove. It could be useful if multiple packages were involved with multiple trusted classes in each. - PR Review Comment: https://git.openjdk.org/jdk/pull/16893#discussion_r1415944621
Re: RFR: 8321053: Use ByteArrayInputStream.buf directly when parameter of transferTo() is trusted [v4]
On Tue, 5 Dec 2023 08:27:09 GMT, Alan Bateman wrote: > I suspect it's left over from a previous iteration. In any case, limiting it > to a small number of output streams makes this easier to look at. BAOS and > FOS seem okay, POP seems okay too but legacy and not interesting. Agreed for a rather short list of explicitly whitelisted implementations. We should get rid of the package check. - PR Review Comment: https://git.openjdk.org/jdk/pull/16893#discussion_r1415569212
Re: RFR: 8321053: Use ByteArrayInputStream.buf directly when parameter of transferTo() is trusted [v4]
On Tue, 5 Dec 2023 07:37:39 GMT, Markus KARG wrote: >> Brian Burkhalter has updated the pull request incrementally with one >> additional commit since the last revision: >> >> 8321053: instanceof -> == > > src/java.base/share/classes/java/io/ByteArrayInputStream.java line 213: > >> 211: byte[] tmp; >> 212: Class outClass = out.getClass(); >> 213: if (outClass.getPackageName().equals("java.io") && > > For what do we need this string-based check here? I suspect it's left over from a previous iteration. In any case, limiting it to a small number of output streams makes this easier to look at. BAOS and FOS seem okay, POP seems okay too but legacy and not interesting. - PR Review Comment: https://git.openjdk.org/jdk/pull/16893#discussion_r1415121241
Re: RFR: 8321053: Use ByteArrayInputStream.buf directly when parameter of transferTo() is trusted [v4]
On Mon, 4 Dec 2023 20:16:12 GMT, Brian Burkhalter wrote: >> Pass `ByteArrayInputStream.buf ` directly to the `OutputStream` parameter of >> `BAIS.transferTo` only if the target stream is in the `java.io` package. > > Brian Burkhalter has updated the pull request incrementally with one > additional commit since the last revision: > > 8321053: instanceof -> == src/java.base/share/classes/java/io/ByteArrayInputStream.java line 213: > 211: byte[] tmp; > 212: Class outClass = out.getClass(); > 213: if (outClass.getPackageName().equals("java.io") && For what do we need this string-based check here? - PR Review Comment: https://git.openjdk.org/jdk/pull/16893#discussion_r1415005911
Re: RFR: 8321053: Use ByteArrayInputStream.buf directly when parameter of transferTo() is trusted [v4]
> Pass `ByteArrayInputStream.buf ` directly to the `OutputStream` parameter of > `BAIS.transferTo` only if the target stream is in the `java.io` package. Brian Burkhalter has updated the pull request incrementally with one additional commit since the last revision: 8321053: instanceof -> == - Changes: - all: https://git.openjdk.org/jdk/pull/16893/files - new: https://git.openjdk.org/jdk/pull/16893/files/29ee889b..7aa37667 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk=16893=03 - incr: https://webrevs.openjdk.org/?repo=jdk=16893=02-03 Stats: 5 lines in 1 file changed: 1 ins; 0 del; 4 mod Patch: https://git.openjdk.org/jdk/pull/16893.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/16893/head:pull/16893 PR: https://git.openjdk.org/jdk/pull/16893