I'm talking about this:
Util.checkPackageAccess(interfaces[i].getClass()); //NOTE the getClass()
here!!!
It should be:
Util.checkPackageAccess(interfaces[i]);
Michal
Michał Kłeczek (XPro Sp. z o. o.) wrote:
I understand the check is needed.
It is that we are not checking the right package but "java.lang"
Thanks,
Michal
Peter wrote:
Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance
permission check is caller sensitive. In this case
AbstractILFactory is the caller, so not checking it would allow an
attacker to bypass the check using AbstractILFactory.
Cheers,
Peter.
Sent from my Samsung device.
Include original message
---- Original message ----
From: "Michał Kłeczek (XPro Sp. z o. o.)"<michalklec...@xpro.biz>
Sent: 06/02/2017 05:06:32 pm
To: dev@river.apache.org
Subject: AbstractILFactory bug?
I have just found this piece of code in AbstractILFactory:
Class[] interfaces = getProxyInterfaces(impl);
...
for (int i = 0; i< interfaces.length; i++) {
Util.checkPackageAccess(interfaces[i].getClass());
}
So we check "java.lang" package access.
A bug?
Thanks,
Michal
