Replacement of sun.reflect.Reflection#getCallerClass
David M. Lloyd
david.lloyd at redhat.com
Tue Sep 3 14:40:04 UTC 2013
On 09/03/2013 09:30 AM, Mandy Chung wrote:
>
> On 9/3/2013 5:52 AM, Nick Williams wrote:
>> Do, I don't understand the rationale. Alan said the security issues
>> couldn't be discussed openly. I can get a Class object MANY different
>> ways without a security check. I don't see or understand any
>> vulnerabilities here. I'm going to need much more information in order
>> to contribute to the discussion in an informed manner.
>
> The Java security guideline is a good starting point.
> http://www.oracle.com/technetwork/java/seccodeguide-139067.html#4
Spelling this out for clarity. This document talks about using access
modifiers to restrict class definitions, which I think everyone agrees
is a reasonable security measure. It specifically does *not* address
accessing java.lang.Class instances, which are not protected or guarded
in any way as far as I can see, and are as easy to access as .getClass()
on any Object instance. In other words, if you have an object, you have
its Class instance as well.
The document *does* cover the (existing) protection of requiring a
runtime permission to access the class loader from a Class (or other ways).
Again, the doc talks about protecting ClassLoader instances, *not* Class
instances. If accessing Class instances is a security hole, then we
already have a serious problem that has nothing to do with this.
>> And, has been stated many, many times, this non-goal is incompatible
>> with the community's needs. Now, there /is/ a way to avoid making
>> @CallerSensitive public (which the community doesn't care about) while
>> still making getCallerClass public (which is really what the community
>> needs). In order to do so, you must remove the check that requires the
>> method calling getCallerClass/getCallerFrame to be annotated with
>> @CallerSensitive. Once you remove that check, you don't need
>> @CallerSensitive to be public. To be clear, though, once you remove
>> that check, you don't need @CallerSensitive /at all/. It can simply go
>> away.
>
> Do you mean sun.reflect.CallerSensitive can go away? This is very
> important part of the design that we need to detect which methods are
> caller-sensitive. I keep seeing you suggest this and it is unclear to
> me if you only mean to remove java.lang. at CallerSensitive in your proposal.
>
> Mandy
--
- DML
More information about the core-libs-dev
mailing list