RFR: 8217920: Lookup.defineClass injects a class that can access private members of any class in its own module [v2]
Alan Bateman
alanb at openjdk.org
Fri Jan 27 11:47:23 UTC 2023
On Thu, 26 Jan 2023 22:27:36 GMT, Mandy Chung <mchung at openjdk.org> wrote:
>> Currently, a `Lookup` object with `PACKAGE` access can be used to inject a class in the runtime package of the Lookup's lookup class via `Lookup::defineClass`. The classes that are injected have the same access as other members in the module and can access private members of all types in the module via reflection.
>>
>> However, changing `Lookup.defineClass` to require full privilege access (`PRIVATE` + `MODULE`) is an incompatible change that would break existing frameworks which use `privateLookupIn` and `Lookup::defineClass` to inject auxiliary classes in a module. A module authorizes the framework by opening a package for it to access and `Lookup::defineClass` was the supported replacement for `setAccessible` on `ClassLoader::defineClass` hack in JDK 9.
>>
>> This PR proposes to keep existing behavior and provide better documentation to help developers to beware of the permissions given out when opening a package to another module. A class injected in a module has the same privilege as other module members.
>
> Mandy Chung has updated the pull request incrementally with one additional commit since the last revision:
>
> review feedback
src/java.base/share/classes/java/lang/Module.java line 605:
> 603: * {@link java.lang.invoke.MethodHandles.Lookup Lookup} object that is allowed to
> 604: * {@link java.lang.invoke.MethodHandles.Lookup#defineClass(byte[]) define classes}
> 605: * in package {@code p}. </p>
I wonder if this should be an apiNote rather method description. There is also the no-arg isOpen method and maybe we should add a note there too. What would you think about linking "deep reflection" to AccessibleObject.setAccesssible(boolean) ?
src/java.base/share/classes/java/lang/invoke/MethodHandles.java line 240:
> 238: * of {@code targetClass}. Extreme caution should be taken when opening a package
> 239: * to another module as such defined classes have the same full privilege
> 240: * access as other members in the target module.
"define classes" instead of inject classes is good.
-------------
PR: https://git.openjdk.org/jdk/pull/12236
More information about the core-libs-dev
mailing list