On 12/06/2010 05:03 PM, Peter Jones wrote:
On Mon, Dec 6, 2010 at 2:35 AM, Joe Darcy<[email protected]>  wrote:
Off-list, Alan found the a related closed test and Stuart and I have
developed an explicit test that tickles this bug:

   http://cr.openjdk.java.net/~darcy/6990094.1/
Looks good to me.

On Mon, Dec 6, 2010 at 3:10 AM, Rémi Forax<[email protected]>  wrote:
Hi Joe,
In the test, I don't see why the replacement field has to be static in
Resolver.
In my opinion, a private final field is sufficient.
I don't know on what instance you would set such an instance field, to
control the exact reference returned by invoking readUnshared on a
deserialized instance.  The attack scenario addressed by the original
bug fix would likely use a static field similarly.

-- Peter

I mean create two instances sharing the same replacement Object.

    static class Resolver implements Serializable {
        private final Object replacement;

        public Resolver(Object o) {
            this.replacement = replacement;
        }
        private Object readResolve() throws ObjectStreamException {
            return replacement;
        }
    }

    private static void test(Object replacement)
        throws IOException, ClassNotFoundException {

        try(ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
            try(ObjectOutputStream oos = new ObjectOutputStream(baos)) {
                oos.writeObject(new Resolver(replacement));
                oos.writeObject(new Resolver(replacement));
            }

Rémi

Reply via email to