On 18/10/2016 10:25, Uwe Schindler wrote:
 From my perspective this looks wrong, because there is no security 
implications documented on Class#getResource, so it is completely unclear that 
you actually need a doPrivileged when calling Class#getResource[AsStream](). 
This is a separate issue and has nothing to do with your changes. It was and 
still is broken, IMHO.

Just to say that Class#getResources has always done a permission check but the spec didn't properly document this. We have improved the spec in the jigsaw/jake forest (as part of the effort to specify how resources in modules are located) and this includes specifying the longstanding permission check [1]. I can't say yet when this will be in JSR because the changes in this area are tied to a number of issues under discussion in JSR 376.


[1] http://download.java.net/java/jigsaw/docs/api/java/lang/Class.html#getResource-java.lang.String-

To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to