Closed Bug 107313 Opened 24 years ago Closed 14 years ago

LiveConnect doesn't supply nice way to control class loader

Categories

(Core Graveyard :: Java: Live Connect, defect)

Product:
Core Graveyard
Component:
Java: Live Connect
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: tjw, Unassigned)

Details

Attachments

(1 file)

Proposed patch
5.75 KB, patch
Details | Diff | Splinter Review
Mozilla seems to use a proxy JNIEnv and a stack of JSContext information to turn the FindClass JNI hook into a call to the right class loader instance. This is more complicated than it seems it should be (especially if you aren't Mozilla). Instead, I propose the following new LiveConnect hook: /* Returns the Java class for the given name. This is the primary security hook for LiveConnect. Based on the global object of the JSContext, a different Java ClassLoader instance can be used to isolate Java code from different sources into their own sandboxen. If this hook is NULL, the default class loader is used (which is not secure by default). */ jclass (*find_class)(JNIEnv *env, JSContext *cx, const char * className);
Formally confirming bug. Reassigning to Patrick; cc'ing Brendan, rogerl and mstoltz for consideration of this issue.
Assignee: rogerl → beard
Status: UNCONFIRMED → NEW
Ever confirmed: true
As discussed in e-mail, this isn't sufficient for securing LiveConnect itself, but seems like a reasonable addition. In the current OJI implementation, a class loader can be associated with the JSContext by rooting a JNI reference to the class loader in the global object.
Status: NEW → ASSIGNED
Attached patch Proposed patchSplinter Review
The patch above contains my proposed patch for this bug and #107311 (since they effect the same callback struct)
-> default assignee for old netscape assigned bugs.
Assignee: beard → live-connect
Status: ASSIGNED → NEW
Product: Core → Core Graveyard
Firefox code moved from custom Liveconnect code to the NPAPI/NPRuntime bridge a while back. Mass-closing the bugs in the liveconnect component which are likely invalid. If you believe that this bug is still relevant to modern versions of Firefox, please reopen it and move it the "Core" product, component "Plug-Ins".
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: