This is the mail archive of the
java@gcc.gnu.org
mailing list for the Java project.
Re: null ClassLoader
Tom Tromey <tromey@redhat.com> writes:
> Adam> For example, such classes can effectively gain read access to
> Adam> private fields on arbitrary objects -- see
> Adam> java.io.ObjectOutputStream.enableReplaceObject()
> I looked at this. I think that code is incorrect. The spec says we
> need to ask the SecurityManager instead. I'll come up with a patch.
Oh wow, the definition of "trusted" changed from jdk1.1 -> jdk1.2 -- I
work from the 1.1 docs since my code has to run in the
NetscapeVM/MSJVM.
I was actually referring to the definition of "trusted" in the 1.1
docs, but it appears that Sun has (wisely) ditched the "if your
classloader is null you are omnipotent" approach.
So this may all be moot now.
- a