6622002 breaks JTable's default renderers?
dlila at redhat.com
Mon Dec 6 09:11:35 PST 2010
We have this bug report http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=590
relating to the default rendering of Boolean values in JTables. It was caused because
we backported http://hg.openjdk.java.net/jdk7/jdk7-gate/jdk/rev/0f510337dadb. I filed
sun bug 7004655 for it.
I looked through the security-dev and swing-dev archives to find discussion on the fix
of 6622002, but I couldn't find anything.
The test included with the fix for 6622002 is pretty explicit in that we shouldn't be
able to reflectively create non public instances of a class, but I think this is wrong.
In the JTable$BooleanRenderer case, all we're trying to do is instantiate BooleanRenderer
from JTable. BooleanRenderer is not public, but it is a nested class in JTable, so it and
all of its members are visible from JTable, which is where we're trying to lazily instantiate
it. Therefore, I think this is definitely a bug. I don't know a whole lot about security
in java (which is why I'm not sending a webrev along with this message), but as far as I can
see, a fix would simply involve looking at the stack trace in the ProxyLazyValue constructors
to find the class name of the caller. Then, using that, we improve the logic in checkAccess
to take things like nested classes into account.
I would love to hear any thoughts anyone has about this.
More information about the security-dev