8217920: Lookup.defineClass injects a class that can access private members of any class in its own module

Reviewed-by: psandoz, alanb, darcy
2025-08-27 06:45:07 +02:00 · 2023-01-27 18:31:03 +00:00 · 2023-01-27 18:31:03 +00:00 · 7f05d57a87
commit 7f05d57a87
parent 22c976a9b0
2 changed files with 31 additions and 1 deletions
--- a/src/java.base/share/classes/java/lang/invoke/MethodHandles.java
+++ b/src/java.base/share/classes/java/lang/invoke/MethodHandles.java
@ -233,6 +233,12 @@ public class MethodHandles {
     * <p>
     * The resulting {@code Lookup} object has no {@code ORIGINAL} access.
     *
+     * @apiNote The {@code Lookup} object returned by this method is allowed to
+     * {@linkplain Lookup#defineClass(byte[]) define classes} in the runtime package
+     * of {@code targetClass}. Extreme caution should be taken when opening a package
+     * to another module as such defined classes have the same full privilege
+     * access as other members in {@code targetClass}'s module.
+     *
     * @param targetClass the target class
     * @param caller the caller lookup object
     * @return a lookup object for the target class, with private access
@ -851,7 +857,7 @@ public class MethodHandles {
     * <p>
     * {@link MethodHandles#privateLookupIn(Class, Lookup) MethodHandles.privateLookupIn(T.class, lookup)}
     * can be used to teleport a {@code lookup} from class {@code C} to class {@code T}
-     * and create a new {@code Lookup} with <a href="#privacc">private access</a>
+     * and produce a new {@code Lookup} with <a href="#privacc">private access</a>
     * if the lookup class is allowed to do <em>deep reflection</em> on {@code T}.
     * The {@code lookup} must have {@link #MODULE} and {@link #PRIVATE} access
     * to call {@code privateLookupIn}.
@ -869,6 +875,12 @@ public class MethodHandles {
     * it cannot be used to obtain another private {@code Lookup} by calling
     * {@link MethodHandles#privateLookupIn(Class, Lookup) privateLookupIn}
     * because it has no {@code MODULE} access.
+     * <p>
+     * The {@code Lookup} object returned by {@code privateLookupIn} is allowed to
+     * {@linkplain Lookup#defineClass(byte[]) define classes} in the runtime package
+     * of {@code T}. Extreme caution should be taken when opening a package
+     * to another module as such defined classes have the same full privilege
+     * access as other members in {@code M2}.
     *
     * <h2><a id="module-access-check"></a>Cross-module access checks</h2>
     *