harmony-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vasily Zakharov (JIRA)" <j...@apache.org>
Subject [jira] Created: (HARMONY-5179) [drlvm][security] Accessing members of non-public class is allowed
Date Sat, 24 Nov 2007 01:34:43 GMT
[drlvm][security] Accessing members of non-public class is allowed
------------------------------------------------------------------

                 Key: HARMONY-5179
                 URL: https://issues.apache.org/jira/browse/HARMONY-5179
             Project: Harmony
          Issue Type: Bug
          Components: DRLVM
            Reporter: Vasily Zakharov


If a class tries to access a public member of a non-public class loaded by different class
loader, DRLVM allows it, while RI and IBM VME throw IllegalAccessException.
This may be a security hole.

Here's the code to reproduce the bug:

import java.net.*;
public class Test {
    public static void main(String[] args) {
        try {
            ClassLoader loader = new URLClassLoader(new URL[] { new URL("file:run.jar") }
);
            loader.loadClass("Run").getMethod("run").invoke(null);
            System.out.println("FAIL");
        } catch (IllegalAccessException e) {
            e.printStackTrace(System.out);
            System.out.println("SUCCESS");
        } catch (Exception e) {
            e.printStackTrace(System.out);
            System.out.println("FAIL");
        }
    }
}

class Run {
    public static void run() {
        System.out.println("Run.run()");
    }
}

Put both classes to a file named Test.java, and run:

$ javac Test.java
$ jar cvf run.jar Run.class
$ rm Run.class
$ java Test

Don't forget to remove Run.class, or the test would fail on any VM!

Output on RI:

java.lang.IllegalAccessException: Class Test can not access a member of class Run with modifiers
"public static"
        at sun.reflect.Reflection.ensureMemberAccess(Reflection.java:65)
        at java.lang.reflect.Method.invoke(Method.java:578)
        at Test.main(Test.java:6)
SUCCESS

Output on IBM VME:

java.lang.IllegalAccessException
        at java.lang.reflect.Method.invoke(Method.java:244)
        at Test.main(Test.java:6)
SUCCESS

Output on DRLVM:

Run.run()
FAIL


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message