From 8358846d5fbf65ca0bd9e433ad62632758389647 Mon Sep 17 00:00:00 2001 From: Alan Bateman Date: Wed, 25 Nov 2009 10:02:50 +0000 Subject: [PATCH] 6736390: File TOCTOU deserialization vulnerability Reviewed-by: hawtin --- jdk/src/share/classes/java/io/File.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/jdk/src/share/classes/java/io/File.java b/jdk/src/share/classes/java/io/File.java index 4f7a413839a..12721567190 100644 --- a/jdk/src/share/classes/java/io/File.java +++ b/jdk/src/share/classes/java/io/File.java @@ -2064,11 +2064,12 @@ public class File private synchronized void readObject(java.io.ObjectInputStream s) throws IOException, ClassNotFoundException { - s.defaultReadObject(); + ObjectInputStream.GetField fields = s.readFields(); + String pathField = (String)fields.get("path", null); char sep = s.readChar(); // read the previous separator char if (sep != separatorChar) - this.path = this.path.replace(sep, separatorChar); - this.path = fs.normalize(this.path); + pathField = pathField.replace(sep, separatorChar); + this.path = fs.normalize(pathField); this.prefixLength = fs.prefixLength(this.path); }