river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sim IJskes - QCG <...@qcg.nl>
Subject Re: Towards Internet Jini Services (trust)
Date Tue, 12 Oct 2010 11:33:09 GMT
On 10/12/2010 01:11 PM, Michal Kleczek wrote:
> On Tuesday 12 of October 2010 13:08:19 Sim IJskes - QCG wrote:
>> On 10/12/2010 12:33 PM, Michal Kleczek wrote:
>>> Hmm... I think I would argue that annotation should have the codebase
>>> embedded and only issue a remote call to verify this codebase - not to
>>> retrieve it.
>>>
>>> How about we get rid of Module interface and require annotation to be
>>> RmiModule (which is final)?
>>
>> By re/encoding it as a String. So we can harden the MarshallInputStream
>> to only accept UTF-8 String with limited length.
>
> Would that be enough just not to allow recursive readAnnotation() ?
> That way our stream would be more compact...

It is my perception that you can feed the deserializer anything you 
want, recursive or not, as long as you limit yourself to the jre 
classes. The 'check' (at this moment) happens at the cast to String.

And by building a babushka in the stream, cause a stackoverflow or 
heapoverflow (dependend on the implementation) in this way.

I dont see an easy way to implement a loadOnlyThisClass(Class cls) 
member function. And changing all the methods where codebase is coded as 
a String, is also not my favorite.

My proposal:

Code 'codebase annotation' as a String. Add a verifier that loads the 
code and checks signing, and allow actual class instantiation to reuse 
the bytes that have already been downloaded by the verifier.

Gr. Sim


Mime
View raw message