Re: java.util.ResourceBundle bug?

[Tom Tromey]

>>>>> "Bryce" == Bryce McKinlay <address@hidden> writes:

Bryce> I think the correct fix is to remove this method
Bryce> (ResourceBundle.getClassContext) and natResourceBundle.cc
Bryce> altogether.  There is no reason to have a separate
Bryce> implementation of getClassContext() here, instead it should
Bryce> call the static implementation in VMSecurityManager. The
Bryce> problem is that VMSecurityManager is in java.lang and
Bryce> package-private, but I don't think it should be, since there
Bryce> are classes in other packages which need access to this
Bryce> functionality.

Bryce> I think we should move it to gnu.java.lang and make it
Bryce> public. Same goes for java.lang.VMClassLoader. Does anyone
Bryce> disagree?

I asked about this a while back on the Classpath list.  Well, I asked
a different but related question, namely why the VM* classes are not
in gnu.*.  Mark Wielaard answered that this would let any code call
these methods.

Perhaps for certain methods this is necessary for VM security.  In
this particular case I doubt it matters.  Is there an exploit
available if you can find all the classes on the stack?

Tom