On Tue, 6 Oct 2020 05:07:37 GMT, Tagir F. Valeev <tval...@openjdk.org> wrote:
>> Sorry to be late to the party. I thought that all reviews labeled with
>> core-libs should be mirrored to core-libs-dev
>> mailing list but I haven't seen it there :(
>> Please note that the integrated implementation exposes listFromTrustedArray
>> to everybody. No dirty unsafe reflection is
>> necessary, only single unchecked cast:
>> static <T> List<T> untrustedArrayToList(T[] array) {
>> @SuppressWarnings("unchecked")
>> Function<List<T>, List<T>> finisher =
>> (Function<List<T>, List<T>>)
>> Collectors.<T>toUnmodifiableList().finisher();
>> ArrayList<T> list = new ArrayList<>() {
>> @Override
>> public Object[] toArray() {
>> return array;
>> }
>> };
>> return finisher.apply(list);
>> }
>>
>> This might be qualified as a security issue.
>
> This could be fixed by adding a classword check to the finisher, like this:
>
> list -> {
> if (list.getClass() !=
> ArrayList.class) {
> throw new
> IllegalArgumentException();
> }
> return (List<T>)
> SharedSecrets.getJavaUtilCollectionAccess()
>
> .listFromTrustedArray(list.toArray());
> },
Thanks for pointing this out. I've filed bug
[JDK-8254090](https://bugs.openjdk.java.net/browse/JDK-8254090). I think
we're ok as long as this gets fixed before JDK 16 ships.
I think the notification messages for this did end up on core-libs-dev, but
perhaps there were some email delays over
the weekend.
-------------
PR: https://git.openjdk.java.net/jdk/pull/449
