On 12/06/2010 05:03 PM, Peter Jones wrote:
On Mon, Dec 6, 2010 at 2:35 AM, Joe Darcy<[email protected]> wrote:
Off-list, Alan found the a related closed test and Stuart and I have
developed an explicit test that tickles this bug:
http://cr.openjdk.java.net/~darcy/6990094.1/
Looks good to me.
On Mon, Dec 6, 2010 at 3:10 AM, Rémi Forax<[email protected]> wrote:
Hi Joe,
In the test, I don't see why the replacement field has to be static in
Resolver.
In my opinion, a private final field is sufficient.
I don't know on what instance you would set such an instance field, to
control the exact reference returned by invoking readUnshared on a
deserialized instance. The attack scenario addressed by the original
bug fix would likely use a static field similarly.
-- Peter
I mean create two instances sharing the same replacement Object.
static class Resolver implements Serializable {
private final Object replacement;
public Resolver(Object o) {
this.replacement = replacement;
}
private Object readResolve() throws ObjectStreamException {
return replacement;
}
}
private static void test(Object replacement)
throws IOException, ClassNotFoundException {
try(ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
try(ObjectOutputStream oos = new ObjectOutputStream(baos)) {
oos.writeObject(new Resolver(replacement));
oos.writeObject(new Resolver(replacement));
}
Rémi