geronimo-xbean-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dain Sundstrom <d...@iq80.com>
Subject Re: xbean-finder: ClassFinder
Date Fri, 27 Oct 2006 20:30:35 GMT
When you load a class the vm may execute any static initializers in  
that class, and that can lead to Bad Things(tm).  Basically, you give  
a hacker an easy way to get arbitrary code loaded and executed.

One other issue, is that it is wicked slow to load lots of classes as  
the vm must parse the entire class and perform byte code  
verification.  With asm you can don't have to parse the entire class  
since you are just interested in annotations on class declarations.

-dain

On Oct 27, 2006, at 12:56 PM, Alan D. Cabrera wrote:

> Interesting.  Can you provide detail about your security comment  
> and how asm figures into this?
>
>
> Regards,
> Alan
>
> Sent from my Verizon Wireless BlackBerry
>
> -----Original Message-----
> From: David Blevins <david.blevins@visi.com>
> Date: Fri, 27 Oct 2006 12:13:39
> To:xbean-dev@geronimo.apache.org
> Subject: xbean-finder: ClassFinder
>
> So added a finder for searching for classes that have a specific
> annotation, etc.  It's there it works and is better than some of the
> code i've seen that does the same, but... I still hate it as like all
> the approaches I've seen it loads the classes and uses reflection to
> determine if the annotation is present.
>
> This is the most insecure code I can think of, so I'm yanking it in
> leu of an asm-based approach.  So take this as your warning not to
> start consuming the ClassFinder just yet.
>
> -David
>
>


Mime
View raw message