Comment by josefx
14 days ago
Java reflection can load classes without initializing them, so no untrusted code would have to be executed at that point.
14 days ago
Java reflection can load classes without initializing them, so no untrusted code would have to be executed at that point.
I haven’t been in Java for a good while. When did they do that?
Static initializers used to load on Classloader calls.
An overload for Class.forName with an explicit initialize parameter was added in Java 1.2 .
Except they don't call Class.forName(..., false, ...) anywhere in the codebase, so my original comment still stands.