8210496: Improve filtering for classes with security sensitive fields
Alan Bateman
Alan.Bateman at oracle.com
Fri Sep 14 17:52:06 UTC 2018
Core reflection has a filtering mechanism to hide a number of fields
that are critical to security or the integrity of the runtime. It's a
bit of a band aid but it helps to reduce hacking on fields such as
java.lang.System.security and java.lang.Class.classLoder. I'd like to
extend the filters to hide a few additional fields from
integrity-sensitive (and non-serializable) classes in java.lang.reflect
and java.lang.invoke. There are of course a number of nasty hacks around
that might break due to this but these hacks would be broken anyway with
simple rename or other innocent refactoring (we had some of this during
JDK 11 when Mandy fixed JDK-8202113 for example).
The webrev with the changes is here:
https://bugs.openjdk.java.net/browse/JDK-8210496
Mandy has already reviewed the CSR [1].
-Alan
[1] https://bugs.openjdk.java.net/browse/JDK-8210522
More information about the core-libs-dev
mailing list