Tom Tromey wrote: > Jeroen> Another interesting trick with the finalizer is creating > Jeroen> instances of classes that have a private constructor! The > Jeroen> attached runtime.j creates an instance of (a subclass of) > Jeroen> java.lang.Runtime. > > Interesting test case. > > With gij this prints `null', but that's probably because the GC and > finalization don't actually occur. > > Jeroen> It could be considered a bug in Sun's verifier that it allows > Jeroen> a class without a constructor, what do the other VMs do with > Jeroen> this code? > > Both Sun 1.4 and IBM 1.3 print a non-null `runtime' object. > > Have you read this? > > http://www.lsd-pl.net/documents/javasecurity-1.0.0.pdf
Not sure. I have the pdf sitting on my desktop, so either I did or I'm planning to ;-) > It seems like your technique could be also used to circumvent the > security check in the ClassLoader constructor. > > > I wonder what Sun has to say about this. Sun's ClassLoader has a hack that prevents this from being exploitable: http://www.securingjava.com/chapter-five/chapter-five-8.html Regards, Jeroen _______________________________________________ Classpath mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/classpath
