A Bug involving MethodHandles, Nestmates, Reflection and @CallerSensitive
Johannes Kuhn
info at j-kuhn.de
Wed Dec 9 20:09:32 UTC 2020
On 09-Dec-20 19:44, Mandy Chung wrote:
>
>
> On 12/8/20 6:02 PM, Johannes Kuhn wrote:
>> There are a lot of things to consider when trying to fix JDK-8013527.
>
> Exactly in particular security implication! What is clear is that the
> expected lookup class should not be the injected class. The key
> message here is that we can't fix JDK-8257874 until we fix JDK-8013527
> unfortunately.
>
> Mandy
>
Yeah, if JDK-8013527 is fixed it might fix JDK-8257874 as a byproduct.
If Lookup.lookup() can determine the original caller, then
Field.set*/Method.invoke could do the same.
Special care has to be taken that no other class could spoof such an
injected invoker.
Too complicated for me :). JDK-8013527 needs a sound design to approach
fixing it IMHO.
- Johannes
More information about the core-libs-dev
mailing list