db-jdo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: Security issue with generated classes
Date Mon, 28 Jul 2008 20:18:49 GMT
Hi Andy,

On Jul 27, 2008, at 11:17 PM, Andy Jefferson wrote:

> Hi Craig,
>> I looked at the datanucleus implementation and found that I'm totally
>> not qualified to propose a patch. I found the code that needs to be
>> changed in org/datanucleus/enhancer/bcel/method/
>> JdoReplaceStateManager.java and org/datanucleus/enhancer/asm/method/
>> JdoReplaceStateManager.java but that's as far as I could get without
>> knowing asm, bcel, and byte-codes.
> The ASM-based enhancer is now updated to match the current spec.

I'll take a look and let you know what I find.

> The BCEL-based enhancer is not updated since strategic direction is  
> using ASM
> (and the TCK uses ASM). There's a DataNucleus JIRA and a TODO for
> implementing using BCEL if anyone has the time/motivation.
> The original code for that method was written for JDO 1.0.0 and  
> never changed
> since seemingly.

When I encountered this issue it sounded familiar. Apparently, we  
figured out back in 1.0.1 days that calling the SecurityManager  
directly from enhanced classes would be problematic. We were right. ;-)

> -- 
> Andy  (DataNucleus - http://www.datanucleus.org)

Craig L Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!

View raw message