RFR JDK-8229785: MethodType::fromMethodDescriptorString should require security permission if loader is null

Vicente Romero vicente.romero at oracle.com
Mon Sep 9 21:46:38 UTC 2019


looks good,
Vicente

On 9/9/19 5:03 PM, Mandy Chung wrote:
> MethodType::fromMethodDescriptorString default to use the system class
> loader in resolving classes per the given descriptor string if the
> loader parameter is null.  Since this method accesses the system class
> loader on behalf of the caller, it should do a security permission
> check as ClassLoader::getSystemClassLoader.
>
> Webrev:
>    http://cr.openjdk.java.net/~mchung/jdk14/8229785/webrev.00/
> CSR:
>    https://bugs.openjdk.java.net/browse/JDK-8230777
>
> Thanks
> Mandy



More information about the core-libs-dev mailing list