Re: java.util.ResourceBundle bug?

[Mark Wielaard]

Hi,

On Sat, Nov 03, 2001 at 06:42:26PM +1300, Bryce McKinlay wrote:
> Tom Tromey wrote:
> 
> >Perhaps for certain methods this is necessary for VM security.  In
> >this particular case I doubt it matters.  Is there an exploit
> >available if you can find all the classes on the stack?
> 
> I think you can override SecurityManager and call it without any 
> restrictions anyway.

Yes you can, IF you have permission to actually create a SecurityManager.
(Note that our current implementation of the SecurityManger constructor
follows the old 1.1 semantics.) But this also seems to solve your problem.
Just create a package local subclass of SecurityManager in java.util
that can (only) be used by classes in java.util. Something like:

package java.util;

import java.security.*;

/** Package private SecurityManager for use by java.util code. */
class UtilManager extends SecurityManager
{
  private static final UtilManger instance = newInstance();

  private UtilManager() { }

  private static UtilManager newInstance()
  {
    // Save because it can only be called through java.util code.
    // Will always work since java.util classes have (all) system permissions.
    UtilManager manager = (UtilManager) AccessController.doPrivileged
    (
      new PrivilegedAction()
      {
        public Object run()
        {
          return new UtilManager();
        }
      }
    );

    return manager;
  }

  /**
   * Should precisely define what is element 0 till n.
   * Note package access.
   */
  static Class[] utilClassContext()
  {
    return instance.getClassContext();
  }
}

Note that the above code is not tested (I did not even try to compile it).

Cheers,

Mark
-- 
Stuff to read:
    <http://www.toad.com/gnu/whatswrong.html>
  What's Wrong with Copy Protection, by John Gilmore