On Sep 3, 2013, at 9:39 AM, Nick Williams wrote:

> 
> On Sep 3, 2013, at 9:30 AM, Mandy Chung wrote:
> 
>> 
>> On 9/3/2013 5:52 AM, Nick Williams wrote:
>>> Do, I don't understand the rationale. Alan said the security issues 
>>> couldn't be discussed openly. I can get a Class object MANY different ways 
>>> without a security check. I don't see or understand any vulnerabilities 
>>> here. I'm going to need much more information in order to contribute to the 
>>> discussion in an informed manner.
>> 
>> The Java security guideline is a good starting point.
>>  http://www.oracle.com/technetwork/java/seccodeguide-139067.html#4
>>> And, has been stated many, many times, this non-goal is incompatible with 
>>> the community's needs. Now, there /is/ a way to avoid making 
>>> @CallerSensitive public (which the community doesn't care about) while 
>>> still making getCallerClass public (which is really what the community 
>>> needs). In order to do so, you must remove the check that requires the 
>>> method calling getCallerClass/getCallerFrame to be annotated with 
>>> @CallerSensitive. Once you remove that check, you don't need 
>>> @CallerSensitive to be public. To be clear, though, once you remove that 
>>> check, you don't need @CallerSensitive /at all/. It can simply go away.
>> 
>> Do you mean sun.reflect.CallerSensitive can go away?  This is very important 
>> part of the design that we need to detect which methods are 
>> caller-sensitive.   I keep seeing you suggest this and it is unclear to me 
>> if you only mean to remove java.lang.@CallerSensitive in your proposal.
> 
> Yes, that's what I mean. If you carefully examine the (existing) native code 
> that backs getCallerClass, you see that @CallerSensitive is /only/ used as an 
> enforcement mechanism. When I first read about @CallerSensitive, I /thought/ 
> you could take a call stack like this one:
> 
> @CallerSensitive getCallerClass()
> @CallerSensitive someMethod1()
> @CallerSensitive someMethod2()
> @CallerSensitive someMethod3()
> @CallerSensitive someMethod4()
> actualCallerMethod()
> 
> And calling getCallerClass would return the class for actualCallerMethod(). 
> However, I was wrong. getCallerClass /always/ returns someMethod1().

Sorry, typo. getCallerClass always returns someMethod2(). Not someMethod1().

> @CallerSensitive is /not/ used to determine when to stop looking for the 
> caller. It's just an enforcement mechanism to ensure that only built-in JVM 
> classes can call getCallerClass. This is /not/ how I did it, this is how it 
> already was. Because of this, you could delete the @CallerSensitive 
> annotation completely and getCallerClass still be fully functional the way it 
> is. It just wouldn't be restricted to annotated methods anymore.
> 
> Note: Now, to be honest, being able to keep going down the chain until you 
> find actualCallerMethod() would be nice, but that presents its own challenges 
> (what if actualCallerMethod is @CallerSensitive for a completely different 
> purpose, for example?), so I don't think that would work.
> 
> Nick

Reply via email to