Hi Alan, Thank you for your comment. I was not fully aware of the possibility of attacking...
I updated the patch to check if the current thread is the same as the thread cached the loader. Updated webreb: http://cr.openjdk.java.net/~horii/8188858/webrev.01/ Regards, Ogata From: Alan Bateman <alan.bate...@oracle.com> To: Kazunori Ogata <oga...@jp.ibm.com> Cc: core-libs-dev@openjdk.java.net Date: 2017/10/10 21:41 Subject: Re: RFR: 8188858: Caching latestUserDefinedLoader() results in ObjectInputStream.readObject() On 10/10/2017 10:50, Kazunori Ogata wrote: > Hi Alan, > > Thank you for your comment. > > I agree that the current code is not thread safe, but I think OIS itself > is not thread safe either. The issue you pointed out occurs when two > threads calls readObject()/readUnshared() simultaneously, and the result > of such situation is undefined in any way in my understanding. Do we need > to ensure the same behavior for such an error case? OIS is very interesting to attackers so you will need to take deliberate abuses of the API into account. I realize it's a pain but it's one of the reasons why we have to be cautious about optimizations in this area. -Alan
