8210496: Improve filtering for classes with security sensitive fields
Alan Bateman
Alan.Bateman at oracle.com
Fri Sep 14 17:57:50 UTC 2018
On 14/09/2018 18:52, Alan Bateman wrote:
> Core reflection has a filtering mechanism to hide a number of fields
> that are critical to security or the integrity of the runtime. It's a
> bit of a band aid but it helps to reduce hacking on fields such as
> java.lang.System.security and java.lang.Class.classLoder. I'd like to
> extend the filters to hide a few additional fields from
> integrity-sensitive (and non-serializable) classes in
> java.lang.reflect and java.lang.invoke. There are of course a number
> of nasty hacks around that might break due to this but these hacks
> would be broken anyway with simple rename or other innocent
> refactoring (we had some of this during JDK 11 when Mandy fixed
> JDK-8202113 for example).
>
> The webrev with the changes is here:
> https://bugs.openjdk.java.net/browse/JDK-8210496
Sorry, that is the JBS issue, the webrev is here:
http://cr.openjdk.java.net/~alanb/8210496/webrev/index.html
-Alan
More information about the core-libs-dev
mailing list