P4
[Note this is not a security problem]
We are stating that in JDK1.1 getResource() cannot be used to access the contents of .class files. A number of "holes" have been plugged in 1.1.4 and in 1.1.5 but there is one remaining:
A class loaded with teh system classloader can access a .class file in a directory by getting at its name and then doing a getContent() on it.
To reproduce, get the attachement test suite from 4085413, then follow the
instructions in GetResourceTests except that
* setenv CLASSPATH <whatever>/bug:.
* appletviewer OnDirFromSystem.html
you will get a failure:
calterra% setenv CLASSPATH ${CPdir}:.
calterra% appletviewer OnDirFromSystem.html
could read foo.class using getResource
Tests failed
We are stating that in JDK1.1 getResource() cannot be used to access the contents of .class files. A number of "holes" have been plugged in 1.1.4 and in 1.1.5 but there is one remaining:
A class loaded with teh system classloader can access a .class file in a directory by getting at its name and then doing a getContent() on it.
To reproduce, get the attachement test suite from 4085413, then follow the
instructions in GetResourceTests except that
* setenv CLASSPATH <whatever>/bug:.
* appletviewer OnDirFromSystem.html
you will get a failure:
calterra% setenv CLASSPATH ${CPdir}:.
calterra% appletviewer OnDirFromSystem.html
could read foo.class using getResource
Tests failed