-
Sub-task
-
Resolution: Fixed
-
P4
-
None
-
b117
-
Verified
MethodHandle.Lookup has the following code:
private static void checkUnprivilegedlookupClass(Class<?> lookupClass, int allowedModes) {
String name = lookupClass.getName();
if (name.startsWith("java.lang.invoke."))
throw newIllegalArgumentException("illegal lookupClass: "+lookupClass);
// For caller-sensitive MethodHandles.lookup()
// disallow lookup more restricted packages
if (allowedModes == ALL_MODES && lookupClass.getClassLoader() == null) {
if (name.startsWith("java.") ||
(name.startsWith("sun.") && !name.startsWith("sun.invoke."))) {
throw newIllegalArgumentException("illegal lookupClass: " + lookupClass);
}
}
}
Which is called from the constructor:
Lookup(Class<?> lookupClass) {
this(lookupClass, ALL_MODES);
// make sure we haven't accidentally picked up a privileged class:
checkUnprivilegedlookupClass(lookupClass, ALL_MODES);
}
and at the end of the Lookup.in method:
checkUnprivilegedlookupClass(requestedLookupClass, newModes);
return new Lookup(requestedLookupClass, newModes);
}
Thus Lookup instances cannot be created for caller class or "teleporting" class that is in the package
java.lang.invoke.* for any mode
java.* and sun.* (except for sun.invoke.*) for ALL_MODES
This means that classes under say java.util.concurrent.* cannot create a Lookup instance to produce a VarHandle.
The "sun.invoke.*" package is an exception since the class ValueConversions looks up methods on itself an on Class (for the public method "cast").
As an interim solution the "java.util.concurrent" package should also be added as an exception.
private static void checkUnprivilegedlookupClass(Class<?> lookupClass, int allowedModes) {
String name = lookupClass.getName();
if (name.startsWith("java.lang.invoke."))
throw newIllegalArgumentException("illegal lookupClass: "+lookupClass);
// For caller-sensitive MethodHandles.lookup()
// disallow lookup more restricted packages
if (allowedModes == ALL_MODES && lookupClass.getClassLoader() == null) {
if (name.startsWith("java.") ||
(name.startsWith("sun.") && !name.startsWith("sun.invoke."))) {
throw newIllegalArgumentException("illegal lookupClass: " + lookupClass);
}
}
}
Which is called from the constructor:
Lookup(Class<?> lookupClass) {
this(lookupClass, ALL_MODES);
// make sure we haven't accidentally picked up a privileged class:
checkUnprivilegedlookupClass(lookupClass, ALL_MODES);
}
and at the end of the Lookup.in method:
checkUnprivilegedlookupClass(requestedLookupClass, newModes);
return new Lookup(requestedLookupClass, newModes);
}
Thus Lookup instances cannot be created for caller class or "teleporting" class that is in the package
java.lang.invoke.* for any mode
java.* and sun.* (except for sun.invoke.*) for ALL_MODES
This means that classes under say java.util.concurrent.* cannot create a Lookup instance to produce a VarHandle.
The "sun.invoke.*" package is an exception since the class ValueConversions looks up methods on itself an on Class (for the public method "cast").
As an interim solution the "java.util.concurrent" package should also be added as an exception.
- relates to
-
JDK-8020801 Apply the restriction of invoking MethodHandles.lookup to j.l.r.Method.invoke
-
- Closed
-
-
JDK-8080588 VarHandles development
-
- Resolved
-