This is the mail archive of the java@gcc.gnu.org mailing list for the Java project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: null ClassLoader

From: Adam Megacz <gcj at lists dot megacz dot com>
To: java at gcc dot gnu dot org
Date: 22 Dec 2001 00:00:20 -0800
Subject: Re: null ClassLoader
Organization: Myself
References: <Pine.LNX.4.10.10111280033000.9325-100000@mars.deadcafe.org> <87zo4epw15.fsf@creche.redhat.com> <86vgf2pq5h.fsf@megacz.com> <877krgldk5.fsf@creche.redhat.com>

Tom Tromey <tromey@redhat.com> writes:
> Adam> For example, such classes can effectively gain read access to
> Adam> private fields on arbitrary objects -- see
> Adam> java.io.ObjectOutputStream.enableReplaceObject()

> I looked at this.  I think that code is incorrect.  The spec says we
> need to ask the SecurityManager instead.  I'll come up with a patch.

Oh wow, the definition of "trusted" changed from jdk1.1 -> jdk1.2 -- I
work from the 1.1 docs since my code has to run in the
NetscapeVM/MSJVM.

I was actually referring to the definition of "trusted" in the 1.1
docs, but it appears that Sun has (wisely) ditched the "if your
classloader is null you are omnipotent" approach.

So this may all be moot now.

  - a

References:
- Re: null ClassLoader
  - From: Tom Tromey
- Re: null ClassLoader
  - From: Adam Megacz
- Re: null ClassLoader
  - From: Tom Tromey

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]