RFR: 8349145: Make Class.getProtectionDomain() non-native
Alan Bateman
alanb at openjdk.org
Sat Feb 1 12:05:52 UTC 2025
On Fri, 31 Jan 2025 17:22:37 GMT, Aleksey Shipilev <shade at openjdk.org> wrote:
> I am thinking if anything new happens if we can reflect the field, `setAccessible(true)` it, and overwrite it. I guess the normal protection rules disallow the `setAccessible` part, but it does not hurt to think and confirm this is still enough and good.
The field won't be accessible by default so I think you are pondering the case where someone opens java.lang for deep reflection and hack on this field. At some point the ongoing work on integrity will get to "final means final" so code can't modify a final instance field (this restriction already exists for records and hidden classes). In the mean-time, no objection to extending the current reflection filter to hide this field although that filtering mechanism is a ah hoc and needs to go away in the long term.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/23396#issuecomment-2628925203
More information about the core-libs-dev
mailing list