RFR: 8156071: List.of: reduce array copying during creation
Stuart Marks
smarks at openjdk.java.net
Tue Oct 6 17:48:09 UTC 2020
On Tue, 6 Oct 2020 05:07:37 GMT, Tagir F. Valeev <tvaleev at openjdk.org> wrote:
>> Sorry to be late to the party. I thought that all reviews labeled with core-libs should be mirrored to core-libs-dev
>> mailing list but I haven't seen it there :(
>> Please note that the integrated implementation exposes listFromTrustedArray to everybody. No dirty unsafe reflection is
>> necessary, only single unchecked cast:
>> static <T> List<T> untrustedArrayToList(T[] array) {
>> @SuppressWarnings("unchecked")
>> Function<List<T>, List<T>> finisher =
>> (Function<List<T>, List<T>>) Collectors.<T>toUnmodifiableList().finisher();
>> ArrayList<T> list = new ArrayList<>() {
>> @Override
>> public Object[] toArray() {
>> return array;
>> }
>> };
>> return finisher.apply(list);
>> }
>>
>> This might be qualified as a security issue.
>
> This could be fixed by adding a classword check to the finisher, like this:
>
> list -> {
> if (list.getClass() != ArrayList.class) {
> throw new IllegalArgumentException();
> }
> return (List<T>) SharedSecrets.getJavaUtilCollectionAccess()
> .listFromTrustedArray(list.toArray());
> },
Thanks for pointing this out. I've filed bug [JDK-8254090](https://bugs.openjdk.java.net/browse/JDK-8254090). I think
we're ok as long as this gets fixed before JDK 16 ships.
I think the notification messages for this did end up on core-libs-dev, but perhaps there were some email delays over
the weekend.
-------------
PR: https://git.openjdk.java.net/jdk/pull/449
More information about the security-dev
mailing list