AccessibleObject.setAccessible() backward compatibility
forax at univ-mlv.fr
forax at univ-mlv.fr
Sat Sep 12 08:34:24 UTC 2015
----- Mail original -----
> De: "David M. Lloyd" <david.lloyd at redhat.com>
> À: "Tim Boudreau" <niftiness at gmail.com>, "Remi Forax" <forax at univ-mlv.fr>
> Cc: jpms-spec-experts at openjdk.java.net
> Envoyé: Vendredi 11 Septembre 2015 22:42:56
> Objet: Re: AccessibleObject.setAccessible() backward compatibility
>
> On 09/11/2015 03:14 PM, Tim Boudreau wrote:
> > >> If the implementation of MethodHandle uses setAccessible() (I don't
> > >> know
> > >> its internals), then this Java 0day would qualify:
> > >
> > > It does not as far as I know.
> > > It's the opposite, if you want to bypass the security sandbox with a
> > > MethodHandle,
> > > you have to use reflection + setAccessible and then use
> > > Lookup.unreflect*().
> >
> >
> > Point taken.
> >
> > Regardless, if one of the problems we want to solve here is security
> > related, then having a security sandbox you really can't bypass, even
> > reflectively, is not a bad idea at all.
>
> In principle, sure. But to paraphrase Schneier, adding complexity is a
> sucky way to add security. :-)
>
> If this is a goal though then the only logical way for it to be done
> that I can see is by always using AccessController for reflection
> permission checks even if there is no security manager. It seems out of
> scope of this JSR to me though...
i agree.
>
> --
> - DML
>
Rémi
More information about the jpms-spec-observers
mailing list