Re: java.util.ResourceBundle bug?
Hi,
On Sat, Nov 03, 2001 at 06:42:26PM +1300, Bryce McKinlay wrote:
Tom Tromey wrote:
Perhaps for certain methods this is necessary for VM security. In
this particular case I doubt it matters. Is there an exploit
available if you can find all the classes on the stack?
I think you can override SecurityManager and call it without any
restrictions anyway.
Yes you can, IF you have permission to actually create a SecurityManager.
(Note that our current implementation of the SecurityManger constructor
follows the old 1.1 semantics.) But this also seems to solve your problem.
Just create a package local subclass of SecurityManager in java.util
that can (only) be used by classes in java.util. Something like:
package java.util;
import java.security.*;
/** Package private SecurityManager for use by java.util code. */
class UtilManager extends SecurityManager
{
private static final UtilManger instance = newInstance();
private UtilManager() { }
private static UtilManager newInstance()
{
// Save because it can only be called through java.util code.
// Will always work since java.util classes have (all) system permissions.
UtilManager manager = (UtilManager) AccessController.doPrivileged
(
new PrivilegedAction()
{
public Object run()
{
return new UtilManager();
}
}
);
return manager;
}
/**
* Should precisely define what is element 0 till n.
* Note package access.
*/
static Class[] utilClassContext()
{
return instance.getClassContext();
}
}
Note that the above code is not tested (I did not even try to compile it).
Cheers,
Mark
--
Stuff to read:
http://www.toad.com/gnu/whatswrong.html
What's Wrong with Copy Protection, by John Gilmore
___
Classpath mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/classpath
gcj class lib
Out of curiosity, would it be possible to get gcj to use a class library specified at runtime? Tried setting my CLASSPATH with 2.96 (sorry so old) and it didn't like it. Is there a strategy for upgrading the class library in use without upgrading the compiler (gcj)? [cbj@lyta test]$ export CLASSPATH=/usr/local/classpath/share/classpath:/home/cbj/work/classpath/test:. [cbj@lyta test]$ gcj --main=FloatTest -o FloatTest FloatTest.java FloatTest.java:50: Internal compiler error in make_class_data, at ../gcc/java/class.c:1426 Please submit a full bug report. See URL:http://bugzilla.redhat.com/bugzilla/ for instructions. -- Brian Jones [EMAIL PROTECTED] ___ Classpath mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/classpath
Re: java.util.ResourceBundle bug?
Hi,
On Fri, Nov 02, 2001 at 09:30:09PM -0700, Eric Blake wrote:
The problem is that VMSecurityManager is in
java.lang and package-private, but I don't think it should be, since
there are classes in other packages which need access to this
functionality.
I think we should move it to gnu.java.lang and make it public. Same goes
for java.lang.VMClassLoader. Does anyone disagree?
I agree that java.lang.VMClassLoader should be moved somewhere and made
public, since java.lang.reflect.Proxy currently has a nasty hack of
using reflection to call VMClassLoader.defineClass.
I disagree since we should not let normal classes give direct access to
the VM interface classes.
I looked at the code and I do not understand why you want to call the
VMClassLoader.defineClass() method. It seems to me that you want to call
the defineClass() method of the supplied loader. I do admit that this is
not possible with the same trick as we could use in java.util with the
SecurityManager. But since java.util.reflect.Proxy is system code it has
enough permissions to get at the defineClass() Method and invoke it on
the supplied loader. Wouldn't something like the following work:
Class clazz = (Class) AccessController.doPrivileged
(
new PrivilegedAction()
{
Class[] types = {ClassLoader.class, String.class,
byte[].class, int.class, int.class,
/* ProtectionDomain.class */ };
Method m = loader.getDeclaredMethod(defineClass, types);
Object[] args = {loader, qualName, bytecode, new Integer(0),
new Integer(bytecode.length),
/* Object.class.getProtectionDomain() */ };
return m.invoke(loader, args);
};
}
Again not actually tested or compiled. (Mostly just copy/paste from the
current Proxy.java code.)
Cheers,
Mark
--
Stuff to read:
http://www.toad.com/gnu/whatswrong.html
What's Wrong with Copy Protection, by John Gilmore
___
Classpath mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/classpath
Re: java.util.ResourceBundle bug?
Hi,
On Sat, Nov 03, 2001 at 04:28:14PM +0100, Mark Wielaard wrote:
Class clazz = (Class) AccessController.doPrivileged
(
new PrivilegedAction()
{
Class[] types = {ClassLoader.class, String.class,
byte[].class, int.class, int.class,
/* ProtectionDomain.class */ };
Method m = loader.getDeclaredMethod(defineClass, types);
That should actually read:
Method m = loader.getClass().getDeclaredMethod(defineClass, types);
Object[] args = {loader, qualName, bytecode, new Integer(0),
new Integer(bytecode.length),
/* Object.class.getProtectionDomain() */ };
return m.invoke(loader, args);
};
}
Again not actually tested or compiled. (Mostly just copy/paste from the
current Proxy.java code.)
Cheers,
Mark
--
Stuff to read:
http://www.toad.com/gnu/whatswrong.html
What's Wrong with Copy Protection, by John Gilmore
___
Classpath mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/classpath
Re: java.util.ResourceBundle bug?
Mark Wielaard wrote:
I disagree since we should not let normal classes give direct access to
the VM interface classes.
I looked at the code and I do not understand why you want to call the
VMClassLoader.defineClass() method. It seems to me that you want to call
the defineClass() method of the supplied loader.
The problem here is that the supplied ClassLoader parameter may be null,
if you intend for the proxy class to be created by the bootstrap
loader. For example, in javac you can create a proxy Runnable with null
as its ClassLoader:
Proxy.newProxyInstance(null, new Class[]{Runnable.class}, myHandler);
In order to create this class without a NullPointerException, you must
defer to the secure VM entry point.
I do admit that this is
not possible with the same trick as we could use in java.util with the
SecurityManager. But since java.util.reflect.Proxy is system code it has
enough permissions to get at the defineClass() Method and invoke it on
the supplied loader. Wouldn't something like the following work:
Class clazz = (Class) AccessController.doPrivileged
(
new PrivilegedAction()
{
Class[] types = {ClassLoader.class, String.class,
byte[].class, int.class, int.class,
/* ProtectionDomain.class */ };
Method m = loader.getDeclaredMethod(defineClass, types);
Object[] args = {loader, qualName, bytecode, new Integer(0),
new Integer(bytecode.length),
/* Object.class.getProtectionDomain() */ };
return m.invoke(loader, args);
};
}
Again not actually tested or compiled. (Mostly just copy/paste from the
current Proxy.java code.)
Cheers,
Mark
--
This signature intentionally left boring.
Eric Blake [EMAIL PROTECTED]
BYU student, free software programmer
___
Classpath mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/classpath
Re: java.util.ResourceBundle bug?
Hi,
On Sat, Nov 03, 2001 at 08:39:49AM -0700, Eric Blake wrote:
The problem here is that the supplied ClassLoader parameter may be null,
if you intend for the proxy class to be created by the bootstrap
loader.
I see. Then you could try to do a ClassLoader.getSystemClassLoader().
The spec says that this method may return null, but we could make it so
that the Classpath version always returns a non-null value.
(I have some code that makes the systemClassLoader an instance of
URLClassLoader, but I never had the time to actually finish, test, commit
that code.)
For example, in javac you can create a proxy Runnable with null
as its ClassLoader:
Proxy.newProxyInstance(null, new Class[]{Runnable.class}, myHandler);
In order to create this class without a NullPointerException, you must
defer to the secure VM entry point.
But does VMClassLoader have to be public for that?
(If letting getSystemClassLoader() always return a non-null ClassLoader is
somehow not an option)
Since java.lang.reflect.Proxy is system class is should always have enough
permissions to get at the package private static method of
java.lang.VMClassLoader (through AccessController.doPrivileged).
You could even cache the returned Method somewhere. Creating Proxy classes
already involves a lot of reflection so getting this particular method
also through reflection is not such a big deal (IMHO).
Cheers,
Mark
--
Stuff to read:
http://www.toad.com/gnu/whatswrong.html
What's Wrong with Copy Protection, by John Gilmore
___
Classpath mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/classpath
Re: gcj class lib
Brian Jones wrote: Out of curiosity, would it be possible to get gcj to use a class library specified at runtime? Tried setting my CLASSPATH with 2.96 (sorry so old) and it didn't like it. Is there a strategy for upgrading the class library in use without upgrading the compiler (gcj)? Unfortunatly GCJ has some built-in assumptions about the layout of Object and Class, so it can't really be used with non-libgcj versions of these classes at this time. Newwer releases do have a better error message, though. It would be nice to fix it so that it worked for other libraries, at least when doing compilation to bytecode. regards Bryce. ___ Classpath mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/classpath
