On 12/10/2017 07:07, Kazunori Ogata wrote:
Hi Alan,
Thank you for your comment. I was not fully aware of the possibility of
attacking...
I updated the patch to check if the current thread is the same as the
thread cached the loader.
Updated webreb: http://cr.openjdk.java.net/~horii/8188858/webrev.01/
This is better but it still not safe. You'll have to atomically set/get
the cachedLoader or put it into a thread local to ensure that
resolveClass picks up the loader cached by the current thread. A thread
local could work too although (needs study) it might need a reference to
the OIS to guard against nested deserialization with a different stream.
-Alan
