Dalibor Topic wrote: > First part of the problem was the JavaScript bridge, which allowed > access to sun.* code, and the second part was sun.misc.Unsafe, which > allows kicking the legs under the Java security mechanism in > three lines of pure Java code, once you get access to it.
I respectfully disagree. The fact that the access controls around sun.misc.Unsafe failed was the problem, not the functionality it provides. You can clear the security manager with reflection too, but we rely on the access controls in reflection to protect us against that, if they fail, do you want to remove reflection as well? > I am not aware of any other potentially useful code that uses > sun.misc.Unsafe, but I'd appreciate pointers. I've seen code that had their own implementation of Object[In|Out]putStream, you cannot do that in pure Java (which is lame), but they managed to do it by using sun.reflect.* classes I believe. Regards, Jeroen --------------------------------------------------------------------- Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]