On Tue, 6 Oct 2020 05:07:37 GMT, Tagir F. Valeev <tval...@openjdk.org> wrote:
>> Sorry to be late to the party. I thought that all reviews labeled with >> core-libs should be mirrored to core-libs-dev >> mailing list but I haven't seen it there :( >> Please note that the integrated implementation exposes listFromTrustedArray >> to everybody. No dirty unsafe reflection is >> necessary, only single unchecked cast: >> static <T> List<T> untrustedArrayToList(T[] array) { >> @SuppressWarnings("unchecked") >> Function<List<T>, List<T>> finisher = >> (Function<List<T>, List<T>>) >> Collectors.<T>toUnmodifiableList().finisher(); >> ArrayList<T> list = new ArrayList<>() { >> @Override >> public Object[] toArray() { >> return array; >> } >> }; >> return finisher.apply(list); >> } >> >> This might be qualified as a security issue. > > This could be fixed by adding a classword check to the finisher, like this: > > list -> { > if (list.getClass() != > ArrayList.class) { > throw new > IllegalArgumentException(); > } > return (List<T>) > SharedSecrets.getJavaUtilCollectionAccess() > > .listFromTrustedArray(list.toArray()); > }, Thanks for pointing this out. I've filed bug [JDK-8254090](https://bugs.openjdk.java.net/browse/JDK-8254090). I think we're ok as long as this gets fixed before JDK 16 ships. I think the notification messages for this did end up on core-libs-dev, but perhaps there were some email delays over the weekend. ------------- PR: https://git.openjdk.java.net/jdk/pull/449