[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Small ZipFile patch

From: Jeroen Frijters
Subject: RE: Small ZipFile patch
Date: Wed, 5 Mar 2003 09:18:27 +0100

Tom Tromey wrote:
> Jeroen> Another interesting trick with the finalizer is creating
> Jeroen> instances of classes that have a private constructor! The
> Jeroen> attached runtime.j creates an instance of (a subclass of)
> Jeroen> java.lang.Runtime.
> Interesting test case.
> With gij this prints `null', but that's probably because the GC and
> finalization don't actually occur.
> Jeroen> It could be considered a bug in Sun's verifier that it allows
> Jeroen> a class without a constructor, what do the other VMs do with
> Jeroen> this code?
> Both Sun 1.4 and IBM 1.3 print a non-null `runtime' object.
> Have you read this?

Not sure. I have the pdf sitting on my desktop, so either I did or I'm
planning to ;-)

> It seems like your technique could be also used to circumvent the
> security check in the ClassLoader constructor.
> I wonder what Sun has to say about this.

Sun's ClassLoader has a hack that prevents this from being exploitable:


reply via email to

[Prev in Thread] Current Thread [Next in Thread]