Hmm well spotted, better report that one :)
Cheers,
Peter.
Sent from my Samsung device.
Include original message
---- Original message ----
From: "Michał Kłeczek (XPro Sp. z o. o.)" <michal.klec...@xpro.biz>
Sent: 06/02/2017 07:51:20 pm
To: dev@river.apache.org
Subject: Re: AbstractILFactory bug?
I'm talking about this:
Util.checkPackageAccess(interfaces[i].getClass()); //NOTE the getClass()
here!!!
It should be:
Util.checkPackageAccess(interfaces[i]);
Michal
Michał Kłeczek (XPro Sp. z o. o.) wrote:
> I understand the check is needed.
>
> It is that we are not checking the right package but "java.lang"
>
> Thanks,
> Michal
>
> Peter wrote:
>> Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance
>> permission check is caller sensitive. In this case
>> AbstractILFactory is the caller, so not checking it would allow an
>> attacker to bypass the check using AbstractILFactory.
>> Cheers,
>>
>> Peter.
>>
>> Sent from my Samsung device.
>> Include original message
>> ---- Original message ----
>> From: "Michał Kłeczek (XPro Sp. z o. o.)"<michalklec...@xpro.biz>
>> Sent: 06/02/2017 05:06:32 pm
>> To: dev@river.apache.org
>> Subject: AbstractILFactory bug?
>>
>> I have just found this piece of code in AbstractILFactory:
>>
>> Class[] interfaces = getProxyInterfaces(impl);
>> ...
>> for (int i = 0; i< interfaces.length; i++) {
>> Util.checkPackageAccess(interfaces[i].getClass());
>> }
>>
>> So we check "java.lang" package access.
>>
>> A bug?
>>
>> Thanks,
>> Michal
>>
>>
>
