commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ceki Gülcü <bloc...@qos.ch>
Subject Re: [logging] tech.xml - child-first classloading not considered harmful
Date Tue, 03 May 2005 17:16:45 GMT

Parent-last! Nice, simple and so much more accurate than child-first, the 
term everyone, including myself, uses but which is also unfortunately 
incorrect.

As for the lack of security of parent-last class loaders, since a class 
loader can load classes as it wants in the order it wamts, it's hard to see 
how the delegation order matters in the case of a malicious class loader.


At 16:58 5/3/2005, Mike Colbert wrote:

>This sounds reasonable to me.  It would be nice to have something definitive,
>however.  I think it's an interesting topic and I've be following it on this
>list.  So far, all the security risks Simon has referenced (and questioned)
>don't seem to go much beyond hand-waving so I agree with him they are 
>dubious.
>A test case demonstrating some of these alleged security risks would be
>helpful; I can't put my head around them without more detail and context.
>Could be that these risks only affect 1% or real-world apps under a specific
>scenario.  Even if it's 0.01% or entirely theoretical, a test case would be
>useful to even understand what the risk really is supposed to be.
>
>As an aside, isn't "child-first" really a misnomer and it's more like
>"parent-last"?  Assuming the parent is at the top of the hierarchy, 
>child-first
>implies (to me), that the heirarchy is walked downwardly from the parent, not
>upwardly from the bottom.
>
>Mike Colbert

-- 
Ceki Gülcü

   The complete log4j manual: http://www.qos.ch/log4j/



---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


Mime
View raw message