On 09-Dec-20 19:44, Mandy Chung wrote:
On 12/8/20 6:02 PM, Johannes Kuhn wrote:
There are a lot of things to consider when trying to fix JDK-8013527.
Exactly in particular security implication! What is clear is that the
expected lookup class should not be the injected class. The key
message here is that we can't fix JDK-8257874 until we fix JDK-8013527
unfortunately.
Mandy
Yeah, if JDK-8013527 is fixed it might fix JDK-8257874 as a byproduct.
If Lookup.lookup() can determine the original caller, then
Field.set*/Method.invoke could do the same.
Special care has to be taken that no other class could spoof such an
injected invoker.
Too complicated for me :). JDK-8013527 needs a sound design to approach
fixing it IMHO.
- Johannes
