Return-Path: Delivered-To: apmail-db-jdo-dev-archive@www.apache.org Received: (qmail 89547 invoked from network); 28 Jul 2008 06:18:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 28 Jul 2008 06:18:25 -0000 Received: (qmail 48052 invoked by uid 500); 28 Jul 2008 06:18:24 -0000 Mailing-List: contact jdo-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jdo-dev@db.apache.org Delivered-To: mailing list jdo-dev@db.apache.org Received: (qmail 48041 invoked by uid 99); 28 Jul 2008 06:18:24 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 27 Jul 2008 23:18:24 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [212.159.14.214] (HELO ptb-relay03.plus.net) (212.159.14.214) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Jul 2008 06:17:27 +0000 Received: from [87.114.9.88] (helo=[192.168.0.22]) by ptb-relay03.plus.net with esmtp (Exim) id 1KNM3L-0000Jr-Eq; Mon, 28 Jul 2008 07:17:51 +0100 From: Andy Jefferson To: jdo-dev@db.apache.org Subject: Re: Security issue with generated classes Date: Mon, 28 Jul 2008 07:17:50 +0100 User-Agent: KMail/1.9.6 Cc: JDO Expert Group References: <8A147C4A-37EA-4327-A218-B9C86B4F31BD@SUN.com> <5120459C-B135-4EF9-9895-AFF987A20851@SUN.com> <1BC112B6-B3BC-4149-8F68-C3DA8E31CD18@SUN.com> In-Reply-To: <1BC112B6-B3BC-4149-8F68-C3DA8E31CD18@SUN.com> Organization: DataNucleus MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <200807280717.50638.andy@datanucleus.org> X-Plusnet-Relay: b1bdf21e637ac30dedf4973f94eecac1 X-Virus-Checked: Checked by ClamAV on apache.org Hi Craig, > I looked at the datanucleus implementation and found that I'm totally > not qualified to propose a patch. I found the code that needs to be > changed in org/datanucleus/enhancer/bcel/method/ > JdoReplaceStateManager.java and org/datanucleus/enhancer/asm/method/ > JdoReplaceStateManager.java but that's as far as I could get without > knowing asm, bcel, and byte-codes. The ASM-based enhancer is now updated to match the current spec. The BCEL-based enhancer is not updated since strategic direction is using ASM (and the TCK uses ASM). There's a DataNucleus JIRA and a TODO for implementing using BCEL if anyone has the time/motivation. The original code for that method was written for JDO 1.0.0 and never changed since seemingly. -- Andy (DataNucleus - http://www.datanucleus.org)