Michael Koch wrote: > Did I said I don't like it ? That's the impression I got when we first discussed this.
> I read some interesting paper from Marc Schoenefeld latetly about how > he exploited bugs in SUNs JDK. He has written some tool that uses > reflection to test public constructors and methods in sun.* packages. That doesn't make sense. Untrusted code is not allowed access to the sun.* packages (unless you're running on Opera, which apparently had a bug), so there is no point. > We should really make this impossible. Limiting access to some > packages in gnu.* namespace (not all) is a good idea. E.g. > gnu.java.nio.* should be restricted, gnu.regexp.* not. Right. We can disallow gnu.* and then selectively allow some packages. > This restriction should allow access from java.io, java.nio, java.lang, > java.net, etc. but not from non-standard packages like java.foobar. > And we have to somehow make sure malicious code can not introduce > classes into the standard packages. That isn't how it works. It's class loader based, all code loaded by the bootstrap class loader will have access to the gnu.* packages. Regards, Jeroen _______________________________________________ Classpath mailing list [EMAIL PROTECTED] http://lists.gnu.org/mailman/listinfo/classpath
