On Sep 3, 2013, at 9:30 AM, Mandy Chung wrote:

> 
> On 9/3/2013 5:52 AM, Nick Williams wrote:
>> Do, I don't understand the rationale. Alan said the security issues couldn't 
>> be discussed openly. I can get a Class object MANY different ways without a 
>> security check. I don't see or understand any vulnerabilities here. I'm 
>> going to need much more information in order to contribute to the discussion 
>> in an informed manner.
> 
> The Java security guideline is a good starting point.
>   http://www.oracle.com/technetwork/java/seccodeguide-139067.html#4
>> And, has been stated many, many times, this non-goal is incompatible with 
>> the community's needs. Now, there /is/ a way to avoid making 
>> @CallerSensitive public (which the community doesn't care about) while still 
>> making getCallerClass public (which is really what the community needs). In 
>> order to do so, you must remove the check that requires the method calling 
>> getCallerClass/getCallerFrame to be annotated with @CallerSensitive. Once 
>> you remove that check, you don't need @CallerSensitive to be public. To be 
>> clear, though, once you remove that check, you don't need @CallerSensitive 
>> /at all/. It can simply go away.
> 
> Do you mean sun.reflect.CallerSensitive can go away?  This is very important 
> part of the design that we need to detect which methods are caller-sensitive. 
>   I keep seeing you suggest this and it is unclear to me if you only mean to 
> remove java.lang.@CallerSensitive in your proposal.

Yes, that's what I mean. If you carefully examine the (existing) native code 
that backs getCallerClass, you see that @CallerSensitive is /only/ used as an 
enforcement mechanism. When I first read about @CallerSensitive, I /thought/ 
you could take a call stack like this one:

@CallerSensitive getCallerClass()
@CallerSensitive someMethod1()
@CallerSensitive someMethod2()
@CallerSensitive someMethod3()
@CallerSensitive someMethod4()
actualCallerMethod()

And calling getCallerClass would return the class for actualCallerMethod(). 
However, I was wrong. getCallerClass /always/ returns someMethod1(). 
@CallerSensitive is /not/ used to determine when to stop looking for the 
caller. It's just an enforcement mechanism to ensure that only built-in JVM 
classes can call getCallerClass. This is /not/ how I did it, this is how it 
already was. Because of this, you could delete the @CallerSensitive annotation 
completely and getCallerClass still be fully functional the way it is. It just 
wouldn't be restricted to annotated methods anymore.

Note: Now, to be honest, being able to keep going down the chain until you find 
actualCallerMethod() would be nice, but that presents its own challenges (what 
if actualCallerMethod is @CallerSensitive for a completely different purpose, 
for example?), so I don't think that would work.

Nick

Reply via email to