| |||||||||||||
What every C Programmer should know about undefined behavior #2/3What every C Programmer should know about undefined behavior #2/3Posted May 16, 2011 23:30 UTC (Mon) by cmccabe (guest, #60281)In reply to: What every C Programmer should know about undefined behavior #2/3 by tialaramex Parent article: What every C Programmer should know about undefined behavior #2/3
I can get the private data of any class that implements Serializable pretty easily. I can always get access to protected data members by defining my own subclass (unless the class is final, but putting protected data members in a final class is an odd choice).
I have a pretty good hunch that this API gives me a hole in "private" big enough to drive my truck through.
I haven't tried it, though.
(Log in to post comments)
What every C Programmer should know about undefined behavior #2/3 Posted May 17, 2011 1:07 UTC (Tue) by foom (subscriber, #14868) [Link]
If there's no security manager policy in the way, you certainly can access private members with the obvious reflection APIs. If there is a security manager policy, it also prevents you from doing the other Evil Things that would let you access the private members.
What every C Programmer should know about undefined behavior #2/3 Posted May 17, 2011 8:54 UTC (Tue) by tialaramex (subscriber, #21167) [Link]
Not only might a class choose not to implement Serializable if it doesn't want you looking at its internals, it might also choose to implement Serializable in a way that's completely unhelpful while obeying the spec. In some cases this might be the most natural approach e.g. their magic internal values could change in a future otherwise compatible replacement, so they reconstruct them when de-serialising, rather than including them in the serialised output.
In other cases it would be very deliberate e.g. we can imagine a system where untrusted code runs in a Java sandbox on a remote system, and has access to certain serialisable objects which are sensitive, so their serialisations are encrypted, versioned and signed with keys not available to the untrusted code.
Even if you're allowed to make the subclass (security policy again) - your subclass doesn't get to look at protected data members from other instances, so this will often be useless. Remember this is Java, so type restrictions are enforced at runtime.
Basically this goes on and on, unlike in C++ the designers actually intended this to be enforced, not just a vague guideline to help those willing to help themselves. So even if you find a crack in the wall, someone will fix it. There really aren't any gaps "big enough to drive a truck through" as you imagine and as is the case in something like C++. If you want to drive a truck in, you need someone to conveniently open the truck-sized gate from the other side by disabling the relevant security policy.
What every C Programmer should know about undefined behavior #2/3 Posted May 17, 2011 9:01 UTC (Tue) by tialaramex (subscriber, #21167) [Link]
"your subclass doesn't get to look at protected data members from other instances"
Actually this bit might be wrong. You could be able to just pass in a suitable instance and have the code inside your imposter subclass poke around in its protected internals. But again the security policy gets to decide whether you're allowed to make this subclass at all (unlike the 'final' keyword this places no such restriction on the author of the rest of the system who may very well operate under a different policy).
What every C Programmer should know about undefined behavior #2/3 Posted May 17, 2011 17:21 UTC (Tue) by jeremiah (subscriber, #1221) [Link]
Just as an FYI the easiest way to get access is to use the reflection API, and the setAccessible() method. Things get a little deep in the reflection stuff, but being able to gain access to anything and modify comes in handy sometimes. I generally use it when writing serialization libraries.
|
|||||||||||||