Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance permission check
is caller sensitive. In this case AbstractILFactory is the caller, so not
checking it would allow an attacker to bypass the check using
AbstractILFactory.
Cheers,
Peter.
Sent from my Samsung device.
Include original message
---- Original message ----
From: "Michał Kłeczek (XPro Sp. z o. o.)" <michalklec...@xpro.biz>
Sent: 06/02/2017 05:06:32 pm
To: dev@river.apache.org
Subject: AbstractILFactory bug?
I have just found this piece of code in AbstractILFactory:
Class[] interfaces = getProxyInterfaces(impl);
...
for (int i = 0; i < interfaces.length; i++) {
Util.checkPackageAccess(interfaces[i].getClass());
}
So we check "java.lang" package access.
A bug?
Thanks,
Michal
