[kaffe] possible problem in Class.CallStack
gonzo
Robert.N.Gonzalez@williams.edu
Wed, 24 Jul 2002 11:03:24 -0400 (EDT)
method getCallersClassLoader
line 463
if (callingClass != null
&& callingClass.getName().equals("java.lang.reflect.Method")) {
frame += 2;
callingClass = callStack.getStackClass(frame);
}
it is possible for a programmer to write his own class loader which loads
a class java.lang.reflect.Method from his own java.lang.reflect package,
in which case getCallersClassLoader would return the Class of a method 2
frames deeper in the call stack than desired.
a possible fix is to check that, not only does
callingClass.getName().equals("java.lang.reflect.Method"), but also to
check that callingClass.getClassLoader() returns the system class loader.
this would only slow things down in the case where the second check is
necessary.
i haven't poked around too much in the class loading/reflection libraries
enough to know if this is a security problem, but it's something to think
about (ie - i don't know why a person would do such a thing except to
attempt to break a system).
~rob