On 18/10/2016 10:25, Uwe Schindler wrote:
:
From my perspective this looks wrong, because there is no security
implications documented on Class#getResource, so it is completely unclear that
you actually need a doPrivileged when calling Class#getResource[AsStream]().
This is a separate issue and has nothing to do with your changes. It was and
still is broken, IMHO.
Just to say that Class#getResources has always done a permission check
but the spec didn't properly document this. We have improved the spec in
the jigsaw/jake forest (as part of the effort to specify how resources
in modules are located) and this includes specifying the longstanding
permission check [1]. I can't say yet when this will be in JSR because
the changes in this area are tied to a number of issues under discussion
in JSR 376.
-Alan
[1]
http://download.java.net/java/jigsaw/docs/api/java/lang/Class.html#getResource-java.lang.String-
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
