RFR: 8279283 - BufferedInputStream should override transferTo [v11]
Markus KARG
duke at openjdk.org
Sat Oct 1 20:37:35 UTC 2022
On Sun, 11 Sep 2022 08:04:36 GMT, Markus KARG <duke at openjdk.org> wrote:
> I think you are asking if is safe to leak a reference to the internal buffer. If there is no mark then it might be okay because there is no replay for an evil output stream to attack. However, I think it would require wider review to be confident that there aren't other interesting ways to break it; hence the suggestion in one of the earlier comments to keep it simple and limit it when there is no subclassing, no mark, and no bytes buffered. This does not prevent widening the conditions in the future.
@AlanBateman I opened [another PR](https://github.com/openjdk/jdk/pull/10525) to continue this discussion.
-------------
PR: https://git.openjdk.org/jdk/pull/6935
More information about the core-libs-dev
mailing list