On Thu, 6 Apr 2023 19:22:56 GMT, Mandy Chung <mch...@openjdk.org> wrote:
> This seems a concern if the target method handle should not have access to > the class in that module. MethodHandle access is checked when the MethodHandle is created. For `@CallerSensitive` methods, the MethodHandle is additionally bound to the lookup class. Also see [`java.lang.invoke.ConstantBootstraps.invoke`](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/lang/invoke/ConstantBootstraps.html#invoke%28java.lang.invoke.MethodHandles.Lookup,java.lang.String,java.lang.Class,java.lang.invoke.MethodHandle,java.lang.Object...%29). If calling an arbitrary MethodHandle from a module could be a problem, then that is an easier target. > W.r.t. the no-arg constructor, I would consider another level of defense to > make the constructor to take Lookup of itself and throw an IAE if the lookup > class is not itself or it does not have ORIGINAL access. Without that defense you can create a new instance (if you have a reference to the hidden class) that does exactly the same thing as the original instance. Other than `getClass` on the original object, `StackWalker` comes to mind as a way to obtain the class reference. ------------- PR Comment: https://git.openjdk.org/jdk/pull/13197#issuecomment-1499523476
