Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
If a class tries to access a public member of a non-public class loaded by different class loader, DRLVM allows it, while RI and IBM VME throw IllegalAccessException.
This may be a security hole.
Here's the code to reproduce the bug:
import java.net.*;
public class Test {
public static void main(String[] args) {
try {
ClassLoader loader = new URLClassLoader(new URL[]
);
loader.loadClass("Run").getMethod("run").invoke(null);
System.out.println("FAIL");
} catch (IllegalAccessException e)
catch (Exception e)
{ e.printStackTrace(System.out); System.out.println("FAIL"); } }
}
class Run {
public static void run()
}
Put both classes to a file named Test.java, and run:
$ javac Test.java
$ jar cvf run.jar Run.class
$ rm Run.class
$ java Test
Don't forget to remove Run.class, or the test would fail on any VM!
Output on RI:
java.lang.IllegalAccessException: Class Test can not access a member of class Run with modifiers "public static"
at sun.reflect.Reflection.ensureMemberAccess(Reflection.java:65)
at java.lang.reflect.Method.invoke(Method.java:578)
at Test.main(Test.java:6)
SUCCESS
Output on IBM VME:
java.lang.IllegalAccessException
at java.lang.reflect.Method.invoke(Method.java:244)
at Test.main(Test.java:6)
SUCCESS
Output on DRLVM:
Run.run()
FAIL
Attachments
Issue Links
- is related to
-
-
- Closed
-