Mercurial > hg > release > icedtea6-1.10
view patches/openjdk/7102369-7094468-rmiregistry.patch @ 2578:96394d394527
Add security patches for 2012/06/12.
2012-06-07 Andrew John Hughes <ahughes@redhat.com>
* Makefile.am:
(ICEDTEA_PATCHES): Add security patches. Make more
patches HotSpot-build specific.
* patches/ecj/override.patch:
Add additional cases from 7143872.
* patches/arm.patch: Moved to HotSpot-specific versions.
* patches/arch.patch,
* patches/freetypeversion.patch,
* patches/gcc-suffix.patch:
Fix to work with no fuzz.
* patches/hotspot/hs20/arm.patch,
* patches/hotspot/hs20/gcc-stack-markings.patch,
* patches/hotspot/hs20/numa_on_early_glibc.patch,
* patches/hotspot/hs20/sparc-trapsfix.patch,
* patches/hotspot/hs20/version-hotspot.patch:
Split to work with hs20 with no fuzz.
* patches/hotspot/original/arm.patch,
* patches/hotspot/original/gcc-stack-markings.patch,
* patches/hotspot/original/numa_on_early_glibc.patch,
* patches/hotspot/original/sparc-trapsfix.patch,
* patches/hotspot/original/version-hotspot.patch:
Likewise for hs19 (original).
* patches/jaxp-serial-version-uid.patch,
* patches/libraries.patch,
* patches/nio2.patch,
* patches/no-static-linking.patch,
* patches/openjdk/6693253-security_warning.patch,
* patches/openjdk/6766342-AA-simple-shape-performance.patch,
* patches/openjdk/6797139-jbutton_truncation.patch,
* patches/openjdk/6851973-kerberos.patch,
* patches/openjdk/7102369-7094468-rmiregistry.patch:
Fixed to work with no fuzz.
* patches/openjdk/hs20/7034464-hugepage.patch,
* patches/openjdk/hs20/7103224-glibc_name_collision.patch,
Fixed to work with hs20 and no fuzz.
* patches/openjdk/mutter.patch:
Fixed to work with no fuzz.
* patches/openjdk/original/7034464-hugepage.patch,
* patches/openjdk/original/7103224-glibc_name_collision.patch,
Fixed to work with hs19 (original) and no fuzz.
* patches/openjdk/remove-mimpure-option-to-gcc.patch:
Fixed to work with no fuzz.
* patches/security/20120612/7079902.patch,
* patches/security/20120612/7143606.patch,
* patches/security/20120612/7143614.patch,
* patches/security/20120612/7143617.patch,
* patches/security/20120612/7143851.patch,
* patches/security/20120612/7143872.patch,
* patches/security/20120612/7145239.patch,
* patches/security/20120612/7157609.patch,
* patches/security/20120612/7160677.patch,
* patches/security/20120612/7160757.patch,
* patches/security/20120612/hs20/7110720.patch,
* patches/security/20120612/hs20/7152811.patch,
* patches/security/20120612/original/7110720.patch,
* patches/security/20120612/original/7152811.patch,
Security patches for 2012/06/12.
* NEWS: Updated.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Fri, 08 Jun 2012 14:23:28 +0100 |
parents | f844632b05a0 |
children |
line wrap: on
line source
diff -Nru openjdk.orig/jdk/src/share/classes/sun/rmi/registry/RegistryImpl.java openjdk/jdk/src/share/classes/sun/rmi/registry/RegistryImpl.java --- openjdk.orig/jdk/src/share/classes/sun/rmi/registry/RegistryImpl.java 2012-06-08 12:16:36.773125012 +0100 +++ openjdk/jdk/src/share/classes/sun/rmi/registry/RegistryImpl.java 2012-06-08 12:17:21.653851103 +0100 @@ -29,6 +29,7 @@ import java.util.Hashtable; import java.util.MissingResourceException; import java.util.ResourceBundle; +import java.io.FilePermission; import java.io.IOException; import java.net.*; import java.rmi.*; @@ -41,12 +42,12 @@ import java.security.AccessControlContext; import java.security.AccessController; import java.security.CodeSource; -import java.security.Policy; +import java.security.Policy; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; import java.security.PermissionCollection; import java.security.Permissions; -import java.security.ProtectionDomain; +import java.security.ProtectionDomain; import java.text.MessageFormat; import sun.rmi.server.LoaderHandler; import sun.rmi.server.UnicastServerRef; @@ -54,7 +55,6 @@ import sun.rmi.transport.LiveRef; import sun.rmi.transport.ObjectTable; import sun.rmi.transport.Target; -import sun.security.action.GetPropertyAction; /** * A "registry" exists on every node that allows RMI connections to @@ -76,8 +76,10 @@ /* indicate compatibility with JDK 1.1.x version of class */ private static final long serialVersionUID = 4666870661827494597L; - private Hashtable bindings = new Hashtable(101); - private static Hashtable allowedAccessCache = new Hashtable(3); + private Hashtable<String, Remote> bindings + = new Hashtable<String, Remote>(101); + private static Hashtable<InetAddress, InetAddress> allowedAccessCache + = new Hashtable<InetAddress, InetAddress>(3); private static RegistryImpl registry; private static ObjID id = new ObjID(ObjID.REGISTRY_ID); @@ -129,7 +131,7 @@ throws RemoteException, NotBoundException { synchronized (bindings) { - Remote obj = (Remote)bindings.get(name); + Remote obj = bindings.get(name); if (obj == null) throw new NotBoundException(name); return obj; @@ -146,7 +148,7 @@ { checkAccess("Registry.bind"); synchronized (bindings) { - Remote curr = (Remote)bindings.get(name); + Remote curr = bindings.get(name); if (curr != null) throw new AlreadyBoundException(name); bindings.put(name, obj); @@ -163,7 +165,7 @@ { checkAccess("Registry.unbind"); synchronized (bindings) { - Remote obj = (Remote)bindings.get(name); + Remote obj = bindings.get(name); if (obj == null) throw new NotBoundException(name); bindings.remove(name); @@ -213,10 +215,9 @@ InetAddress clientHost; try { - clientHost = (InetAddress) - java.security.AccessController.doPrivileged( - new java.security.PrivilegedExceptionAction() { - public Object run() + clientHost = java.security.AccessController.doPrivileged( + new java.security.PrivilegedExceptionAction<InetAddress>() { + public InetAddress run() throws java.net.UnknownHostException { return InetAddress.getByName(clientHostName); @@ -238,8 +239,8 @@ final InetAddress finalClientHost = clientHost; java.security.AccessController.doPrivileged( - new java.security.PrivilegedExceptionAction() { - public Object run() throws java.io.IOException { + new java.security.PrivilegedExceptionAction<Void>() { + public Void run() throws java.io.IOException { /* * if a ServerSocket can be bound to the client's * address then that address must be local @@ -334,19 +335,6 @@ URL[] urls = sun.misc.URLClassPath.pathToURLs(envcp); ClassLoader cl = new URLClassLoader(urls); - String codebaseProperty = null; - String prop = java.security.AccessController.doPrivileged( - new GetPropertyAction("java.rmi.server.codebase")); - if (prop != null && prop.trim().length() > 0) { - codebaseProperty = prop; - } - URL[] codebaseURLs = null; - if (codebaseProperty != null) { - codebaseURLs = sun.misc.URLClassPath.pathToURLs(codebaseProperty); - } else { - codebaseURLs = new URL[0]; - } - /* * Fix bugid 4242317: Classes defined by this class loader should * be annotated with the value of the "java.rmi.server.codebase" @@ -364,7 +352,7 @@ public RegistryImpl run() throws RemoteException { return new RegistryImpl(regPort); } - }, getAccessControlContext(codebaseURLs)); + }, getAccessControlContext()); } catch (PrivilegedActionException ex) { throw (RemoteException) ex.getException(); } @@ -390,11 +378,11 @@ } /** - * Generates an AccessControlContext from several URLs. + * Generates an AccessControlContext with minimal permissions. * The approach used here is taken from the similar method * getAccessControlContext() in the sun.applet.AppletPanel class. */ - private static AccessControlContext getAccessControlContext(URL[] urls) { + private static AccessControlContext getAccessControlContext() { // begin with permissions granted to all code in current policy PermissionCollection perms = AccessController.doPrivileged( new java.security.PrivilegedAction<PermissionCollection>() { @@ -417,17 +405,15 @@ */ perms.add(new SocketPermission("*", "connect,accept")); - // add permissions required to load from codebase URL path - LoaderHandler.addPermissionsForURLs(urls, perms, false); + perms.add(new FilePermission("<<ALL FILES>>", "read")); /* * Create an AccessControlContext that consists of a single * protection domain with only the permissions calculated above. */ ProtectionDomain pd = new ProtectionDomain( - new CodeSource((urls.length > 0 ? urls[0] : null), - (java.security.cert.Certificate[]) null), - perms); + new CodeSource(null, + (java.security.cert.Certificate[]) null), perms); return new AccessControlContext(new ProtectionDomain[] { pd }); } } diff -Nru openjdk.orig/jdk/src/share/classes/sun/rmi/server/LoaderHandler.java openjdk/jdk/src/share/classes/sun/rmi/server/LoaderHandler.java --- openjdk.orig/jdk/src/share/classes/sun/rmi/server/LoaderHandler.java 2012-06-08 12:16:36.773125012 +0100 +++ openjdk/jdk/src/share/classes/sun/rmi/server/LoaderHandler.java 2012-06-08 12:17:21.653851103 +0100 @@ -1028,7 +1028,7 @@ * loader. A given permission is only added to the collection if * it is not already implied by the collection. */ - public static void addPermissionsForURLs(URL[] urls, + private static void addPermissionsForURLs(URL[] urls, PermissionCollection perms, boolean forLoader) { diff -Nru openjdk.orig/jdk/test/java/rmi/registry/readTest/readTest.java openjdk/jdk/test/java/rmi/registry/readTest/readTest.java --- openjdk.orig/jdk/test/java/rmi/registry/readTest/readTest.java 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/test/java/rmi/registry/readTest/readTest.java 2012-06-08 12:17:21.673851428 +0100 @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.rmi.registry.Registry; +import java.rmi.registry.LocateRegistry; +import java.rmi.RemoteException; +import java.rmi.server.UnicastRemoteObject; + + +public class readTest { + + public static void main(String args[]) throws Exception { + int port = 7491; + try { + testPkg.Server obj = new testPkg.Server(); + testPkg.Hello stub = (testPkg.Hello) UnicastRemoteObject.exportObject(obj, 0); + // Bind the remote object's stub in the registry + Registry registry = LocateRegistry.getRegistry(port); + registry.bind("Hello", stub); + + System.err.println("Server ready"); + + // now, let's test client + testPkg.Client client = new testPkg.Client(port); + String testStubReturn = client.testStub(); + if(!testStubReturn.equals(obj.hello)) { + throw new RuntimeException("Test Fails : unexpected string from stub call"); + } else { + System.out.println("Test passed"); + } + registry.unbind("Hello"); + + } catch (Exception e) { + System.err.println("Server exception: " + e.toString()); + e.printStackTrace(); + } + + } +} diff -Nru openjdk.orig/jdk/test/java/rmi/registry/readTest/readTest.sh openjdk/jdk/test/java/rmi/registry/readTest/readTest.sh --- openjdk.orig/jdk/test/java/rmi/registry/readTest/readTest.sh 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/test/java/rmi/registry/readTest/readTest.sh 2012-06-08 12:17:21.673851428 +0100 @@ -0,0 +1,95 @@ +# +# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# @test +# @bug 7102369 7094468 7100592 +# @summary remove java.rmi.server.codebase property parsing from registyimpl +# @run shell readTest.sh + +OS=`uname -s` +case "$OS" in + SunOS | Linux ) + PS=":" + FS="/" + FILEURL="file:" + ;; + Windows* | CYGWIN* ) + PS=";" + FS="\\" + FILEURL="file:/" + ;; + * ) + echo "Unrecognized system!" + exit 1; + ;; +esac + +cp -r ${TESTSRC}${FS}* . +${TESTJAVA}${FS}bin${FS}javac testPkg${FS}*java +${TESTJAVA}${FS}bin${FS}javac readTest.java + +mkdir rmi_tmp +RMIREG_OUT=rmi.out +#start rmiregistry without any local classes on classpath +cd rmi_tmp +${TESTJAVA}${FS}bin${FS}rmiregistry 7491 > ..${FS}${RMIREG_OUT} 2>&1 & +RMIREG_PID=$! +# allow some time to start +sleep 3 +cd .. + +# trailing / after code base is important for rmi codebase property. +${TESTJAVA}${FS}bin${FS}java -Djava.rmi.server.codebase=${FILEURL}`pwd`/ readTest > OUT.TXT 2>&1 & +TEST_PID=$! +#bulk of testcase - let it run for a while +sleep 5 + +#we're done, kill processes first +kill -9 ${RMIREG_PID} ${TEST_PID} +sleep 3 + +echo "Test output : " + +cat OUT.TXT +echo "==============" +echo "rmiregistry output : " +cat ${RMIREG_OUT} +echo "==============" + +grep "Server ready" OUT.TXT +result1=$? +grep "Test passed" OUT.TXT +result2=$? + +if [ $result1 -eq 0 -a $result2 -eq 0 ] +then + echo "Passed" + exitCode=0; +else + echo "Failed" + exitCode=1 +fi +rm -rf OUT.TXT ${RMIREG_OUT} rmi_tmp +exit ${exitCode} + + diff -Nru openjdk.orig/jdk/test/java/rmi/registry/readTest/testPkg/Client.java openjdk/jdk/test/java/rmi/registry/readTest/testPkg/Client.java --- openjdk.orig/jdk/test/java/rmi/registry/readTest/testPkg/Client.java 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/test/java/rmi/registry/readTest/testPkg/Client.java 2012-06-08 12:17:21.673851428 +0100 @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package testPkg; + +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; + +public class Client { + int port; + + public Client(int p) { + port = p; + } + + public String testStub() throws Exception { + try { + Registry registry = LocateRegistry.getRegistry(port); + Hello stub = (Hello) registry.lookup("Hello"); + String response = stub.sayHello(); + return response; + } catch (Exception e) { + System.err.println("Client exception: " + e.toString()); + throw e; + } + } + } + diff -Nru openjdk.orig/jdk/test/java/rmi/registry/readTest/testPkg/Hello.java openjdk/jdk/test/java/rmi/registry/readTest/testPkg/Hello.java --- openjdk.orig/jdk/test/java/rmi/registry/readTest/testPkg/Hello.java 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/test/java/rmi/registry/readTest/testPkg/Hello.java 2012-06-08 12:17:21.673851428 +0100 @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package testPkg; + +import java.rmi.Remote; +import java.rmi.RemoteException; + +public interface Hello extends Remote { + String sayHello() throws RemoteException; +} diff -Nru openjdk.orig/jdk/test/java/rmi/registry/readTest/testPkg/Server.java openjdk/jdk/test/java/rmi/registry/readTest/testPkg/Server.java --- openjdk.orig/jdk/test/java/rmi/registry/readTest/testPkg/Server.java 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/test/java/rmi/registry/readTest/testPkg/Server.java 2012-06-08 12:17:21.673851428 +0100 @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package testPkg; + +public class Server implements Hello { + + public String hello = "Hello, world!"; + + public Server() {} + + public String sayHello() { + return hello; + } + +}