Message-Id: <v04204e00b3595a3f9a2b@[128.8.129.126]>
In-Reply-To: <199905072336.QAA21099@shorter.eng.sun.com>
Date: Fri, 7 May 1999 23:10:40 -0400
To: Jeff Nisewanger <Jeff.Nisewanger@eng.sun.com>
From: William Pugh <pugh@cs.umd.edu>
Subject: Re: Huge security hole in Sun's JVM
At 4:34 PM -0700 5/7/99, Jeff Nisewanger wrote:
> Bill Pugh wrote:
>The JVM allows
> > an outside class to invoke a private constructor or
> > a private static method, and to access a private
> > variable. I confirmed this bug in the following JVM's:
> >
>
> This is not a bug. What you are seeing is that in some
>circumstances Java classes are purposefully not run through full
>language access control checks when loaded directly from the local
>disk. Illegal accesses by downloaded Java code will be caught.
Sorry, but I believe it is a bug.
My reading of the spec is that in Java 1.2, all non-core classes are verified.
The spec doesn't say anything about hacks for bugs in the java 1.1.2 compiler.
Since you don't believe it is a bug, I presume you have no objection to me
publicizing it?
William Pugh