Mon, 03 Jul 2017 14:20:39 -0700
Merge
.hgtags | file | annotate | diff | comparison | revisions |
1.1 --- a/.hgtags Mon Jun 26 15:18:59 2017 -0700 1.2 +++ b/.hgtags Mon Jul 03 14:20:39 2017 -0700 1.3 @@ -745,6 +745,7 @@ 1.4 2dbdceff6ade82aa9942cdea6b62d5655d65183c jdk8u151-b00 1.5 4449c73dbfdf2e32889e3ce769bd4160daa48b71 jdk8u151-b01 1.6 ffa099d5b88ff14cea677d2afa4229354e9404d0 jdk8u151-b02 1.7 +a6814326f989837019ff7dd0d9b0e57065499bc5 jdk8u151-b03 1.8 58d0ffe75dc5597310d422e214dc077476bd2338 jdk8u122-b00 1.9 a87b06da783bb5a11f7857220789979129e39e7c jdk8u122-b01 1.10 8684348ae5eb6f895d19e4752dea567642dbcec4 jdk8u122-b02
2.1 --- a/src/share/classes/com/sun/corba/se/impl/io/ObjectStreamClass.java Mon Jun 26 15:18:59 2017 -0700 2.2 +++ b/src/share/classes/com/sun/corba/se/impl/io/ObjectStreamClass.java Mon Jul 03 14:20:39 2017 -0700 2.3 @@ -31,13 +31,17 @@ 2.4 2.5 package com.sun.corba.se.impl.io; 2.6 2.7 +import java.security.AccessControlContext; 2.8 +import java.security.AccessController; 2.9 import java.security.MessageDigest; 2.10 import java.security.NoSuchAlgorithmException; 2.11 import java.security.DigestOutputStream; 2.12 -import java.security.AccessController; 2.13 +import java.security.PermissionCollection; 2.14 +import java.security.Permissions; 2.15 import java.security.PrivilegedExceptionAction; 2.16 import java.security.PrivilegedActionException; 2.17 import java.security.PrivilegedAction; 2.18 +import java.security.ProtectionDomain; 2.19 2.20 import java.lang.reflect.Modifier; 2.21 import java.lang.reflect.Array; 2.22 @@ -47,6 +51,7 @@ 2.23 import java.lang.reflect.Constructor; 2.24 import java.lang.reflect.Proxy; 2.25 import java.lang.reflect.InvocationTargetException; 2.26 +import java.lang.reflect.UndeclaredThrowableException; 2.27 2.28 import java.io.IOException; 2.29 import java.io.DataOutputStream; 2.30 @@ -57,6 +62,11 @@ 2.31 2.32 import java.util.Arrays; 2.33 import java.util.Comparator; 2.34 +import java.util.HashSet; 2.35 +import java.util.Set; 2.36 + 2.37 +import sun.misc.JavaSecurityAccess; 2.38 +import sun.misc.SharedSecrets; 2.39 2.40 import com.sun.corba.se.impl.util.RepositoryId; 2.41 2.42 @@ -418,6 +428,65 @@ 2.43 private static final PersistentFieldsValue persistentFieldsValue = 2.44 new PersistentFieldsValue(); 2.45 2.46 + /** 2.47 + * Creates a PermissionDomain that grants no permission. 2.48 + */ 2.49 + private ProtectionDomain noPermissionsDomain() { 2.50 + PermissionCollection perms = new Permissions(); 2.51 + perms.setReadOnly(); 2.52 + return new ProtectionDomain(null, perms); 2.53 + } 2.54 + 2.55 + /** 2.56 + * Aggregate the ProtectionDomains of all the classes that separate 2.57 + * a concrete class {@code cl} from its ancestor's class declaring 2.58 + * a constructor {@code cons}. 2.59 + * 2.60 + * If {@code cl} is defined by the boot loader, or the constructor 2.61 + * {@code cons} is declared by {@code cl}, or if there is no security 2.62 + * manager, then this method does nothing and {@code null} is returned. 2.63 + * 2.64 + * @param cons A constructor declared by {@code cl} or one of its 2.65 + * ancestors. 2.66 + * @param cl A concrete class, which is either the class declaring 2.67 + * the constructor {@code cons}, or a serializable subclass 2.68 + * of that class. 2.69 + * @return An array of ProtectionDomain representing the set of 2.70 + * ProtectionDomain that separate the concrete class {@code cl} 2.71 + * from its ancestor's declaring {@code cons}, or {@code null}. 2.72 + */ 2.73 + private ProtectionDomain[] getProtectionDomains(Constructor<?> cons, 2.74 + Class<?> cl) { 2.75 + ProtectionDomain[] domains = null; 2.76 + if (cons != null && cl.getClassLoader() != null 2.77 + && System.getSecurityManager() != null) { 2.78 + Class<?> cls = cl; 2.79 + Class<?> fnscl = cons.getDeclaringClass(); 2.80 + Set<ProtectionDomain> pds = null; 2.81 + while (cls != fnscl) { 2.82 + ProtectionDomain pd = cls.getProtectionDomain(); 2.83 + if (pd != null) { 2.84 + if (pds == null) pds = new HashSet<>(); 2.85 + pds.add(pd); 2.86 + } 2.87 + cls = cls.getSuperclass(); 2.88 + if (cls == null) { 2.89 + // that's not supposed to happen 2.90 + // make a ProtectionDomain with no permission. 2.91 + // should we throw instead? 2.92 + if (pds == null) pds = new HashSet<>(); 2.93 + else pds.clear(); 2.94 + pds.add(noPermissionsDomain()); 2.95 + break; 2.96 + } 2.97 + } 2.98 + if (pds != null) { 2.99 + domains = pds.toArray(new ProtectionDomain[0]); 2.100 + } 2.101 + } 2.102 + return domains; 2.103 + } 2.104 + 2.105 /* 2.106 * Initialize class descriptor. This method is only invoked on class 2.107 * descriptors created via calls to lookupInternal(). This method is kept 2.108 @@ -551,11 +620,15 @@ 2.109 readResolveObjectMethod = ObjectStreamClass.getInheritableMethod(cl, 2.110 "readResolve", noTypesList, Object.class); 2.111 2.112 + domains = new ProtectionDomain[] {noPermissionsDomain()}; 2.113 + 2.114 if (externalizable) 2.115 cons = getExternalizableConstructor(cl) ; 2.116 else 2.117 cons = getSerializableConstructor(cl) ; 2.118 2.119 + domains = getProtectionDomains(cons, cl); 2.120 + 2.121 if (serializable && !forProxyClass) { 2.122 /* Look for the writeObject method 2.123 * Set the accessible flag on it here. ObjectOutputStream 2.124 @@ -902,20 +975,53 @@ 2.125 throws InstantiationException, InvocationTargetException, 2.126 UnsupportedOperationException 2.127 { 2.128 + if (!initialized) 2.129 + throw new InternalError("Unexpected call when not initialized"); 2.130 if (cons != null) { 2.131 try { 2.132 - return cons.newInstance(new Object[0]); 2.133 + if (domains == null || domains.length == 0) { 2.134 + return cons.newInstance(); 2.135 + } else { 2.136 + JavaSecurityAccess jsa = SharedSecrets.getJavaSecurityAccess(); 2.137 + PrivilegedAction<?> pea = (PrivilegedAction<?>) new PrivilegedAction() { 2.138 + public Object run() { 2.139 + try { 2.140 + return cons.newInstance(); 2.141 + } catch (InstantiationException 2.142 + | InvocationTargetException 2.143 + | IllegalAccessException x) { 2.144 + throw new UndeclaredThrowableException(x); 2.145 + } 2.146 + } 2.147 + }; // Can't use PrivilegedExceptionAction with jsa 2.148 + try { 2.149 + return jsa.doIntersectionPrivilege(pea, 2.150 + AccessController.getContext(), 2.151 + new AccessControlContext(domains)); 2.152 + } catch (UndeclaredThrowableException x) { 2.153 + Throwable cause = x.getCause(); 2.154 + if (cause instanceof InstantiationException) 2.155 + throw (InstantiationException) cause; 2.156 + if (cause instanceof InvocationTargetException) 2.157 + throw (InvocationTargetException) cause; 2.158 + if (cause instanceof IllegalAccessException) 2.159 + throw (IllegalAccessException) cause; 2.160 + // not supposed to happen 2.161 + throw x; 2.162 + } 2.163 + } 2.164 } catch (IllegalAccessException ex) { 2.165 // should not occur, as access checks have been suppressed 2.166 InternalError ie = new InternalError(); 2.167 - ie.initCause( ex ) ; 2.168 - throw ie ; 2.169 + ie.initCause(ex); 2.170 + throw ie; 2.171 } 2.172 } else { 2.173 throw new UnsupportedOperationException(); 2.174 } 2.175 } 2.176 2.177 + 2.178 /** 2.179 * Returns public no-arg constructor of given class, or null if none found. 2.180 * Access checks are disabled on the returned constructor (if any), since 2.181 @@ -1526,7 +1632,8 @@ 2.182 Method readObjectMethod; 2.183 private transient Method writeReplaceObjectMethod; 2.184 private transient Method readResolveObjectMethod; 2.185 - private Constructor cons ; 2.186 + private Constructor<?> cons; 2.187 + private transient ProtectionDomain[] domains; 2.188 2.189 /** 2.190 * Beginning in Java to IDL ptc/02-01-12, RMI-IIOP has a