RFR: 8188858: Caching latestUserDefinedLoader() results in ObjectInputStream.readObject()
Alan Bateman
Alan.Bateman at oracle.com
Thu Oct 12 13:17:48 UTC 2017
On 12/10/2017 07:07, Kazunori Ogata wrote:
> Hi Alan,
>
> Thank you for your comment. I was not fully aware of the possibility of
> attacking...
>
> I updated the patch to check if the current thread is the same as the
> thread cached the loader.
>
> Updated webreb: http://cr.openjdk.java.net/~horii/8188858/webrev.01/
>
This is better but it still not safe. You'll have to atomically set/get
the cachedLoader or put it into a thread local to ensure that
resolveClass picks up the loader cached by the current thread. A thread
local could work too although (needs study) it might need a reference to
the OIS to guard against nested deserialization with a different stream.
-Alan
More information about the core-libs-dev
mailing list