On Thu, 30 Nov 2023 09:47:05 GMT, Vladimir Sitnikov <[email protected]>
wrote:
>>> You have to know that it is in the java.io package and it doesn't wrap
>>> another stream.
>>
>> That is a good point. In the previous work on this override, we converged on
>> the current implementation to not leak the internal byte[] to the target. It
>> could be special cased for trusted targets but at the cost of auditing and
>> complexity. So more thought needed on this, I don't think the current change
>> can be integrated.
>
> What do you think of adding `OutputStream extends WritableByteChannel`, so
> `transferTo` could be implemented with `if (target instanceof
> WritableByteChannel) { target.write(ByteBuffer.wrap(buf, off,
> len).asReadOnly()); }`?
>
> Read-only byte buffer will not allow modifying the data in the buffer, it
> would eliminate buffer copies, and adding `write(ByteBuffer)` to
> `OutputStream` seems reasonable.
> It could be special cased for trusted targets but at the cost of auditing and
> complexity. So more thought needed on this [...]
Could the target additionally be checked to see whether it is a
`FilterOutputStream` and if so not be trusted?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16879#discussion_r1411007027
