Comment by hinkley
3 months ago
The fix still loads the class before checking if it’s okay.
That’s a smaller attack window but it’s still not zero.
3 months ago
The fix still loads the class before checking if it’s okay.
That’s a smaller attack window but it’s still not zero.
Java reflection can load classes without initializing them, so no untrusted code would have to be executed at that point.
I haven’t been in Java for a good while. When did they do that?
Static initializers used to load on Classloader calls.
An overload for Class.forName with an explicit initialize parameter was added in Java 1.2 .
1 reply →