null ClassLoader

Tom Tromey tromey@redhat.com
Fri Dec 21 08:46:00 GMT 2001

• Previous message (by thread): null ClassLoader
• Next message (by thread): null ClassLoader
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

>>>>> "Adam" == Adam Megacz <gcj@lists.megacz.com> writes:

Adam> AFAIK it's the (sketchy) cornerstone of a lot of java security
Adam> mechanisms. All classes such that getClassLoader() == null are
Adam> trusted as "priviledged", and can do Really Evil Things.
Adam> For example, such classes can effectively gain read access to
Adam> private fields on arbitrary objects -- see
Adam> java.io.ObjectOutputStream.enableReplaceObject()
I looked at this. I think that code is incorrect. The spec says we
need to ask the SecurityManager instead. I'll come up with a patch.
Tom> Equivalently, we could change Class.getClassLoader so it only
Tom> returns `null' for primitive classes.
Adam> That would probably do it.
I have a patch for this. I'll check it in at some point.
Tom

---

• Previous message (by thread): null ClassLoader
• Next message (by thread): null ClassLoader
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Java mailing list