Caching lambda proxy classes
Peter Levart
peter.levart at gmail.com
Tue Mar 12 10:32:41 PDT 2013
On 03/12/2013 06:14 PM, Brian Goetz wrote:
>> A question: What's so special in the $deserializeLambda$ method that it
>> has to be generated in each capturing class? The MethodHandles.Lookup?
>
> Security. Anyone can create a serialized bytestream that effectively
> says "take this private method of a random class, and turn it into a
> lambda." We wish to only proceed with lambda conversion for
> combinations of (SAM, method) that *actually* were intended to be
> lambdas.
Ah, yes. So one has to be very careful what serializable lambdas he
creates in server code, for example, since that gives a potential hacker
an opportunity to forge a stream to create instances of SAM types that
he would not be able to create otherwise (for example, passing forged
stream to RMI server methods accepting SAM types)...
Regards, Peter
More information about the lambda-dev
mailing list