[commit-cp] [task #4252] Decide that to do with the codebase tag in the value type record

[Audrius Meškauskas]

URL:
  <http://savannah.gnu.org/task/?func=detailitem&item_id=4252>

                 Summary: Decide that to do with the codebase tag in the value
type record
                 Project: classpath
            Submitted by: audriusa
            Submitted on: Sat 06/11/2005 at 17:57
                Category: CORBA
         Should Start On: Sun 12/11/2005 at 00:00
   Should be Finished on: Sat 06/11/2005 at 00:00
                Priority: 1 - Later
                  Status: None
                 Privacy: Public
             Assigned to: None
        Percent Complete: 0%
             Open/Closed: Open
                  Effort: 0.00

    _______________________________________________________

Details:

The value type objects must be able to handle method invocations locally. To
support this, the CORBA message, including the value type object, also
contains the "codebase" - a space separated list of URLs, from where the
receiver should download the missing code. This is interesting, elegant and
easy to implement. However, to my opinion, the possibility to download and
launch the code without control creates a tremendous security hole. If
somebody is interested how to execute the potentially malicious code safely,
this task can provide a suitable challenge. The problem seems related to the
safe execution of java applets in a browser. However, differently from the
applets, that thing is sitting inside the core java classes.

Sun does not documents how this feature is handled, if handled in any way at
all.






    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/task/?func=detailitem&item_id=4252>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/