uschindler commented on code in PR #15864:
URL: https://github.com/apache/lucene/pull/15864#discussion_r2976281649
##########
lucene/core/src/java/org/apache/lucene/internal/tests/TestSecrets.java:
##########
@@ -136,7 +150,21 @@ private static void ensureNull(Object ob) {
}
}
- private static void ensureCaller() {
+ private static void ensureCallerForSetter(Class<?> allowedCaller) {
+ final boolean validCaller =
+ StackWalker.getInstance(StackWalker.Option.RETAIN_CLASS_REFERENCE)
Review Comment:
Please chanage it to compare class name. It is indeed possible to fake it
with a different classloader, but we have similar checks at other places (like
access to VectorizationProvider) and it works similarily (with names only).
RETAIN_CLASS_REFERENCE requires higher privileges, and therefor it should
not be in code. In 10.x branch it may hit a test or AccessController problem as
we restrict everything there using SecurityManager.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
