-
Bug
-
Resolution: Fixed
-
P2
-
9
The default implementation of ObjectInputStream::resolveClass and resolveProxyClass finds the user-defined class loader on the stack and considered only system classes are loaded by null loader. These methods should be updated to prepare if any system class are defined by the platform class loader and its ancestors instead.
As JDK modules are deprivileged, classes on the stack defined by the platform class loader should be excluded. As for the implementation, JVM_LatestUserDefinedLoader returns the first non-null class loader on the stack. Walking the stack to find the latest user defined loader is fragile. Serialization and RMI depend on it. It'd be even better if this can be removed.
As JDK modules are deprivileged, classes on the stack defined by the platform class loader should be excluded. As for the implementation, JVM_LatestUserDefinedLoader returns the first non-null class loader on the stack. Walking the stack to find the latest user defined loader is fragile. Serialization and RMI depend on it. It'd be even better if this can be removed.
- blocks
-
JDK-8154189 Deprivilege java.sql and java.sql.rowset module
-
- Resolved
-
- relates to
-
-
- Closed
-
-
-
- Closed
-