Minecraftforge: Mods are able to circumvent the Security Manager policy regarding System.exit() by calling java.lang.Shutdown.exit()

There's no way to fix this "issue" other than by disabling reflection, which would break all mods.

Mods not being able to call System.exit() from outside a world is a bug, why not fix that instead?

I believe this is not an issue on Forge's side but rather a security flaw on OpenJDK's side, I wanted to post a bug report about this to OpenJDK but it seems they've raised the bar quite high regarding who can post in the bug tracker...

"security flaw".... So tell me your reasoning. You see the words "Reflection" and "Shutdown", and think "this must be dangerous omg"?

OpenJDK would laugh at an issue just as much as anyone with more than a basic understanding of Java will when they see this bug report. Being able to bypass the security manager is an expected consequence of allowing the use of reflection.

If the bar is high for making OpenJDK issues, it's probably because of people like you making bug reports because of their ignorance of Java.

@Runemoro please do not resort to ad hominem, I've been respectful towards you in all exchanges we had till now, and I've been patient, but patience is a limited resource you're running out of.

Reflection is one big security hole. Using it to bypass security is nothing
new.

>

@War-Wizard That's because my patience has already run out:

1. Despite obviously knowing little about Java, you decided to make a Reddit thread to create drama about an unreleased version of my mod
2. Using (intentionally?) ambiguous sentences like "It literally kills the launcher process and then restarts it to make sure the game runs with this modified version.", combined with the fact that Mojang named a library "LegacyLauncher", you make people think VanillaFix is replacing their Minecraft launcher,
3. You then claim that it's unethical to redistribute a modified version of a library (Mixin). The whole point of open source software is for users to be free to adapt a library to their needs in case the owner no longer maintains it or refuses to merge certain changes into it.
4. You then look through the mod's code to find "security flaws" in it to try to prove me wrong
5. You make an issue on the MinecraftForge repo for something that's neither a Forge issue (which you realize yourself) nor an issue at all (reflection bypassing the security manager is expected). I can only assume this is just another attempt to spread drama

I suggest you learn more about Java and open source licenses before claiming that someone's mod is "dangerous" or "unethical".

@War-Wizard The intention of the FML security manager is to not stop mods from forcing an exit or to offer any "security", it is to mitigate poor use of System.exit, likely from a developer not knowing the implications, causing silent exits. VanillaFix is very intentionally offering special behavior in your example. If a mod wants to exit officially it can use FMLCommonHandler#exitJava, however in the context of a loading plugin as your example contains, that would be fairy questionable as that class really shouldn't be accessed that early.