Mercurial > hg > release > icedtea-web-1.7

changeset 530:5a473790c21d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
PR1145: IcedTea-Web can cause ClassCircularityError It is possible for the ClassLoader to encounter a ClassCircularityError. This can happen when the ClassLoader detects that checking if a class 'A' has been loaded triggers another check of whether 'A' has been loaded before the first check has completed. This can happen easily when trying to load Policy or Permission classes, which lie in our code path that checks whether a class has been loaded. One possible fix is to ensure these classes are not in the path of code that gets executed when we are trying to check for a class. This can be done by removing the call to getAccessControlContextForClassLoading. The javadocs for ClassLoader.findLoadedClass do not mention any permissions required to call the method nor do they mention that the method can throw a SecurityException. The native code that implements findLoadedClass does not have any security checks either. The doProvileged block is probably not needed here and removing it breaks the circularity.
author Omair Majid <omajid@redhat.com>
date Fri, 05 Oct 2012 23:02:53 -0400
parents 3c9fc2571585
children c4dc3da913ab
files ChangeLog NEWS netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
diffstat 3 files changed, 11 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Wed Oct 03 19:19:30 2012 +0200
+++ b/ChangeLog	Fri Oct 05 23:02:53 2012 -0400
@@ -1,3 +1,12 @@
+2012-10-05  Omair Majid  <omajid@redhat.com>
+
+	PR1145
+	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+	(getAccessControlContextForClassLoading): Do not catch
+	ClassCircularityError.
+	(findLoadedClassAll): Call findLoadedClass without any special
+	permissions.
+
 2012-10-03 Jana Fabrikova  <jfabriko@redhat.com>
 
 	* tests/reproducers/simple/JSToJGet:
--- a/NEWS	Wed Oct 03 19:19:30 2012 +0200
+++ b/NEWS	Fri Oct 05 23:02:53 2012 -0400
@@ -17,6 +17,7 @@
 * Common
   - PR1049: Extension jnlp's signed jar with the content of only META-INF/* is considered
   - PR955: regression: SweetHome3D fails to run
+  - PR1145: IcedTea-Web can cause ClassCircularityError
   - PR1161: X509VariableTrustManager does not work correctly with OpenJDK7
 
 New in release 1.3 (2012-XX-XX):
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Wed Oct 03 19:19:30 2012 +0200
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Fri Oct 05 23:02:53 2012 -0400
@@ -1494,17 +1494,7 @@
             Class result = null;
 
             if (loaders[i] == this) {
-                final String fName = name;
-                try {
-                    result = AccessController.doPrivileged(
-                            new PrivilegedExceptionAction<Class<?>>() {
-                                public Class<?> run() {
-                                    return JNLPClassLoader.super.findLoadedClass(fName);
-                                }
-                            }, getAccessControlContextForClassLoading());
-                } catch (PrivilegedActionException pae) {
-                    result = null;
-                }
+                result = JNLPClassLoader.super.findLoadedClass(name);
             } else {
                 result = loaders[i].findLoadedClassAll(name);
             }
@@ -2154,8 +2144,6 @@
             return context; // If context already has all permissions, don't bother
         } catch (AccessControlException ace) {
             // continue below
-        } catch (ClassCircularityError cce) {
-            // continue below
         }
 
         // Since this is for class-loading, technically any class from one jar