Comment by josefx
3 months ago
Java reflection can load classes without initializing them, so no untrusted code would have to be executed at that point.
3 months ago
Java reflection can load classes without initializing them, so no untrusted code would have to be executed at that point.
I haven’t been in Java for a good while. When did they do that?
Static initializers used to load on Classloader calls.
An overload for Class.forName with an explicit initialize parameter was added in Java 1.2 .
Except they don't call Class.forName(..., false, ...) anywhere in the codebase, so my original comment still stands.