Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A defensive copy is the cheap way to fix this.

The bug is a potential security vulnerability since it can affect the value of interned strings, which can break other libraries.



Even the example in article alone. Imagine someone intern a broken "script" string, and people trying to sanitize HTML script tags no longer find it.


That still has to be done ad-hoc and might kill performance for many usecases.

This is not a bug, but a specified behavior.


Changing the evaluation of the expression x.equals(y) to false when x and y are strings with the same value is not a specified behavior.


It is. The "buggy" code isn't marked as thread safe.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: