I tried to do some experiments from my side to check if this issue could be
hit, but I could not successfully do anything. As per the discussion in this
thread, I will close the bug as 'not an issue'. Thanks all for the inputs.
-Sharath Ballal
-Original Message-
From: Dmitry
+1
PS.
* SA module does not export any package - as of now, only jhsdb is the
only way to use SA. So, most findbugs findings are noise. i.e., user
code or any code outside SA module cannot access SA programmatically.
Only way is to use command line switches of Java launcher - if untrusted
code
Sharath,
I don't see any requirements that ObjectReader should run with an
application that install security manager but doesn't have
RuntimePermission.createClassLoader
So I would recommend to close this bug as "not an issue".
-Dmitry
On 2016-09-15 06:38, Harsha wardhana B wrote:
> Hello,
>
Hello,
It is not required that SA should be run under security manager to
address this change. Any standalone application when run under security
manager can use ObjectReader class to exploit vulnerabilities. That is
something that should be evaluated.
With the below fix any application
David,
> That aside, the code uses raw types, which is bad. It should also be able to
> retain the this(...) invocation e.g (I haven't compiled this):
This works, Thanks.
-Sharath Ballal
-Original Message-
From: David Holmes
Sent: Wednesday, September 14, 2016 3:07 PM
To: Sharath
Sundar,
> Does SA runs under security manager at all? For eg. can jhsdb tool run under
> security manager? I doubt.
I am checking on this.
-Sharath Ballal
From: Sundararajan Athijegannathan
Sent: Wednesday, September 14, 2016 1:54 PM
To: Sharath Ballal;
Hi Sharath,
On 14/09/2016 6:14 PM, Sharath Ballal wrote:
Hello,
Please review this fix to add creation of classloader code into
doPrivileged block
Issue: https://bugs.openjdk.java.net/browse/JDK-8068155
Webrev: http://cr.openjdk.java.net/~sballal/8068155/webrev.00/
First I'm also curious
Does SA runs under security manager at all? For eg. can jhsdb tool run
under security manager? I doubt.
Do we want to make it runnable under security manager? If not, does this
fix makes sense?
-Sundar
On 9/14/2016 1:44 PM, Sharath Ballal wrote:
>
> Hello,
>
> Please review this fix to add
Hello,
Please review this fix to add creation of classloader code into doPrivileged
block
Issue: https://bugs.openjdk.java.net/browse/JDK-8068155
Webrev: http://cr.openjdk.java.net/~sballal/8068155/webrev.00/
-Sharath Ballal