[security-dev 00023]: Re: Loading an unverified class
Nuno Cruces
ncruces at gmail.com
Wed Nov 14 17:28:07 UTC 2007
On 10/30/07, Thomas Hawtin <tackline at tackline.plus.com> wrote:
>
> Not a direct answer, but there is one place in the JDK where this is
> done. Deserialisation requires calling the no-arg constructor of the
> most derived, non-Serializable class. Obviously you can't do this with
> the public reflection API or verifiable bytecode. So that would be a
> good place to start looking.
I missed your answer at first, sorry. I'll look into this, thanks!
Nuno Cruces
More information about the security-dev
mailing list