JDK-8230777 : MethodType::fromMethodDescriptorString should require security permission if loader is null
  • Type: CSR
  • Component: core-libs
  • Sub-Component: java.lang.invoke
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 14
  • Submitted: 2019-09-09
  • Updated: 2019-09-10
  • Resolved: 2019-09-10
Related Reports
CSR :  
JDK-8229785 - MethodType::fromMethodDescriptorString should require security permission if loader is null
Description
Summary
-------

Change `java.lang.invoke.MethodType::fromMethodDescriptorString(String desc, ClassLoader loader` to call `SecurityManger::checkPermission` with `RuntimePermission("getClassLoader")`  if loader parameter is null.

Problem
-------

`MethodType::fromMethodDescriptorString(String desc, ClassLoader loader` default to use the system class loader if loader parameter is null.   Cross-loader access is not guarded with `RuntimePermission("getClassLoader")` permission check when the security manager is present as it is loading classes on behalf of the caller.

Solution
--------

`MethodType::fromMethodDescriptorString` should perform the same security permission check as `ClassLoader::getSystemClassLoader` does when loader parameter is null.  This only impacts existing code that calls this method with loader == null when security manager is present but "getClassLoader" permission is not granted.

One alternative solution is to require the loader parameter to be non-null but this will impact existing code even it's running with security manager is absent.

Specification
-------------

The spec of `java.lang.invoke.MethodType::fromMethodDescriptorString` is updated as follows:

```
@@ -1076,9 +1078,8 @@
     /**
      * Finds or creates an instance of a method type, given the spelling of its bytecode descriptor.
      * Convenience method for {@link #methodType(java.lang.Class, java.lang.Class[]) methodType}.
-     * Any class or interface name embedded in the descriptor string
-     * will be resolved by calling {@link ClassLoader#loadClass(java.lang.String)}
-     * on the given loader (or if it is null, on the system class loader).
+     * Any class or interface name embedded in the descriptor string will be
+     * resolved by the given loader (or if it is null, on the system class loader).
      * <p>
      * Note that it is possible to encounter method types which cannot be
      * constructed by this method, because their component types are
@@ -1092,10 +1093,19 @@
      * @throws NullPointerException if the string is null
      * @throws IllegalArgumentException if the string is not well-formed
      * @throws TypeNotPresentException if a named type cannot be found
+     * @throws SecurityException if the security manager is present and
+     *         {@code loader} is {@code null} and the caller does not have the
+     *         {@link RuntimePermission}{@code ("getClassLoader")}
      */
```
Comments
Moving to Approved.
10-09-2019