Replacement of sun.reflect.Reflection#getCallerClass
Mandy Chung
mandy.chung at oracle.com
Tue Sep 3 14:30:00 UTC 2013
On 9/3/2013 5:52 AM, Nick Williams wrote:
> Do, I don't understand the rationale. Alan said the security issues couldn't be discussed openly. I can get a Class object MANY different ways without a security check. I don't see or understand any vulnerabilities here. I'm going to need much more information in order to contribute to the discussion in an informed manner.
The Java security guideline is a good starting point.
http://www.oracle.com/technetwork/java/seccodeguide-139067.html#4
> And, has been stated many, many times, this non-goal is incompatible with the community's needs. Now, there /is/ a way to avoid making @CallerSensitive public (which the community doesn't care about) while still making getCallerClass public (which is really what the community needs). In order to do so, you must remove the check that requires the method calling getCallerClass/getCallerFrame to be annotated with @CallerSensitive. Once you remove that check, you don't need @CallerSensitive to be public. To be clear, though, once you remove that check, you don't need @CallerSensitive /at all/. It can simply go away.
Do you mean sun.reflect.CallerSensitive can go away? This is very
important part of the design that we need to detect which methods are
caller-sensitive. I keep seeing you suggest this and it is unclear to
me if you only mean to remove java.lang. at CallerSensitive in your proposal.
Mandy
More information about the core-libs-dev
mailing list