Re: RFR: 8217920: Lookup.defineClass injects a class that can access private members of any class in its own module [v2]

Fri, 27 Jan 2023 03:47:53 -0800 

On Thu, 26 Jan 2023 22:27:36 GMT, Mandy Chung <mch...@openjdk.org> wrote:

>> Currently, a `Lookup` object with `PACKAGE` access can be used to inject a 
>> class in the runtime package of the Lookup's lookup class via 
>> `Lookup::defineClass`.   The classes that are injected have the same access 
>> as other members in the module and can access private members of all types 
>> in the module via reflection.
>> 
>> However, changing `Lookup.defineClass` to require full privilege access 
>> (`PRIVATE` + `MODULE`) is an incompatible change that would break existing 
>> frameworks which use `privateLookupIn` and `Lookup::defineClass` to inject 
>> auxiliary classes in a module.   A module authorizes the framework by 
>> opening a package for it to access and `Lookup::defineClass` was the 
>> supported replacement for `setAccessible` on `ClassLoader::defineClass` hack 
>> in JDK 9.    
>> 
>> This PR proposes to keep existing behavior and provide better documentation 
>> to help developers to beware of the permissions given out when opening a 
>> package to another module. A class injected in a module has the same 
>> privilege as other module members.
>
> Mandy Chung has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   review feedback

src/java.base/share/classes/java/lang/Module.java line 605:

> 603:      * {@link java.lang.invoke.MethodHandles.Lookup Lookup} object that 
> is allowed to
> 604:      * {@link java.lang.invoke.MethodHandles.Lookup#defineClass(byte[]) 
> define classes}
> 605:      * in package {@code p}. </p>

I wonder if this should be an apiNote rather method description. There is also 
the no-arg isOpen method and maybe we should add a note there too. What would 
you think about linking "deep reflection" to 
AccessibleObject.setAccesssible(boolean) ?

src/java.base/share/classes/java/lang/invoke/MethodHandles.java line 240:

> 238:      * of {@code targetClass}. Extreme caution should be taken when 
> opening a package
> 239:      * to another module as such defined classes have the same full 
> privilege
> 240:      * access as other members in the target module.

"define classes" instead of inject classes is good.

-------------

PR: https://git.openjdk.org/jdk/pull/12236

Reply via email to