river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michał Kłeczek (XPro Sp. z o. o.)" <michal.klec...@xpro.biz>
Subject Re: AbstractILFactory bug?
Date Mon, 06 Feb 2017 09:42:04 GMT
I understand the check is needed.

It is that we are not checking the right package but "java.lang"

Thanks,
Michal

Peter wrote:
> Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance permission check  is caller
sensitive.  In this case AbstractILFactory is the caller, so not checking it would allow an
attacker to bypass the check using AbstractILFactory. 
>
> Cheers,
>
> Peter.
>
> Sent from my Samsung device.
>   
>    Include original message
> ---- Original message ----
> From: "Michał Kłeczek (XPro Sp. z o. o.)"<michalkleczek@xpro.biz>
> Sent: 06/02/2017 05:06:32 pm
> To: dev@river.apache.org
> Subject: AbstractILFactory bug?
>
> I have just found this piece of code in AbstractILFactory:
>
> Class[] interfaces = getProxyInterfaces(impl);
> ...
> for (int i = 0; i<  interfaces.length; i++) {
>       Util.checkPackageAccess(interfaces[i].getClass());
> }
>
> So we check "java.lang" package access.
>
> A bug?
>
> Thanks,
> Michal
>
>


Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message