[
https://issues.apache.org/jira/browse/GROOVY-7735?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pascal Schumacher resolved GROOVY-7735.
---------------------------------------
Resolution: Fixed
Assignee: Pascal Schumacher
Fix Version/s: 2.4.6
Pull request merged. Thanks!
> Closures should be generated as public classes
> ----------------------------------------------
>
> Key: GROOVY-7735
> URL: https://issues.apache.org/jira/browse/GROOVY-7735
> Project: Groovy
> Issue Type: Improvement
> Components: groovy-jdk, GroovyScriptEngine
> Affects Versions: 2.4.5
> Reporter: Chris Earle
> Assignee: Pascal Schumacher
> Fix For: 2.4.6
>
>
> Closures are currently created as a package-private class thanks to a single
> [constant zero that gets passed
> in|https://github.com/apache/groovy/blob/GROOVY_2_4_5/src/main/org/codehaus/groovy/classgen/asm/ClosureWriter.java#L81],
> which then get accessed by the
> {{org.codehaus.groovy.reflection.CachedMethod}} class.
> When running Groovy within a Security Manager, this requires an _extreme_
> permission to be enabled: {{suppressAccessCheck}}. This permission enables
> reflection-based code to access methods that they have no "right" to access.
> The associated PR changes the constant zero to {{ACC_PUBLIC}}, which means
> that the class becomes {{public}} rather than package-private. By making this
> change, no special security manager permissions need to be applied, thus
> making Groovy less of a risk. For what it's worth, the value of {{0}} seems
> more arbitrary than intentional and {{public}} seems to be the more
> appropriate access level for a {{Closure}}.
> PR: https://github.com/apache/groovy/pull/248
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
