Re: [cp-patches] Patch: Add security check to Class.getClasses()

[Gary Benson]

Tom Tromey wrote:
> >>>>> "Gary" == Gary Benson <address@hidden> writes:
> 
> Gary> Class.getClasses() was not performing the member access checks
> Gary> like it ought.  The attached patch fixes.  I'm working on
> Gary> mauve tests for all of Class's security calls so there will be
> Gary> a check for this issue soonish.
> 
> Class.getClasses is directly calling memberAccessCheck before it
> calls internalGetClasses.  Also supposedly getClasses should call
> with Member.PUBLIC, not Member.DECLARED.  So it seems to me that
> this patch is not needed.

Ok, so I guess the documentation is inconsistent:

  http://java.sun.com/j2se/1.4.2/docs/api/java/lang/Class.html#getClasses()
    "For this class _and_each_of_its_superclasses_, the following
    security checks are performed: If there is a security manager, the
    security manager's checkMemberAccess method is called with this
    and Member.PUBLIC...".

  
http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html#PermsAndMethods
    "For this class and each of its superclasses,
    checkMemberAccess(this, Member.DECLARED) is called..."

Presently Classpath checks Member.PUBLIC for this class but not for
its superclasses.  (Member.DECLARED is higher than Member.PUBLIC).

FWIW Member.PUBLIC is consistent with getFields(), getMethods(), etc.

Hmmm...

Cheers,
Gary