Mercurial > hg > release > icedtea6-1.11
view patches/openjdk/8014085-better_serialization.patch @ 2938:d667440f2973
Add 2013/10/15 security fixes.
2013-10-29 Andrew John Hughes <gnu.andrew@redhat.com>
* patches/ecj/bootver.patch:
Removed as unapplied & incorporated in other patches.
* Makefile.am:
(SECURITY_PATCHES): Add security update.
* NEWS: Updated.
* patches/jtreg-LastErrorString.patch,
* patches/openjdk/7196533-timezone_bottleneck.patch,
* patches/openjdk/8010727-empty_logger_name.patch,
* patches/openjdk/8010939-logmanager_deadlock.patch,
* patches/openjdk/8012617-arrayindexoutofbounds_linebreakmeasurer.patch,
* patches/openjdk/8014718-remove_logging_suntoolkit.patch:
Regenerated.
* patches/nss-config.patch: Fix path to java.security.
* patches/openjdk/4075303-javap_update.patch,
* patches/openjdk/4111861-static_fields.patch,
* patches/openjdk/4501661-disallow_mixing.patch,
* patches/openjdk/4884240-javap_additional_option.patch,
* patches/openjdk/6708729-javap_makefile_update.patch,
* patches/openjdk/6715767-javap_crash.patch,
* patches/openjdk/6819246-javap_instruction_decoding.patch,
* patches/openjdk/6824493-experimental.patch,
* patches/openjdk/6841419-classfile_iterator.patch,
* patches/openjdk/6841420-classfile_methods.patch,
* patches/openjdk/6843013-missing_experimental.patch,
* patches/openjdk/6852856-javap_subclasses.patch,
* patches/openjdk/6867671-javap_whitespace.patch,
* patches/openjdk/6868539-constant_pool_tags.patch,
* patches/openjdk/6902264-fix_indentation.patch,
* patches/openjdk/6954275-big_xml_signatures.patch,
* patches/openjdk/7146431-java.security_files.patch,
* patches/openjdk/8000450-restrict_access.patch,
* patches/openjdk/8002070-remove_logger_stack_search.patch,
* patches/openjdk/8003992-embedded_nulls.patch,
* patches/openjdk/8004188-rename_java.security.patch,
* patches/openjdk/8006882-jmockit.patch,
* patches/openjdk/8006900-new_date_time.patch,
* patches/openjdk/8008589-better_mbean_permission_validation.patch,
* patches/openjdk/8010118-caller_sensitive.patch,
* patches/openjdk/8011071-better_crypto_provider_handling.patch,
* patches/openjdk/8011081-improve_jhat.patch,
* patches/openjdk/8011139-revise_checking_getenclosingclass.patch,
* patches/openjdk/8011157-improve_corba_portability-jdk.patch,
* patches/openjdk/8011157-improve_corba_portability.patch,
* patches/openjdk/8011990-logger_test_urls.patch,
* patches/openjdk/8012071-better_bean_building.patch,
* patches/openjdk/8012147-improve_tool.patch,
* patches/openjdk/8012243-serial_regression.patch,
* patches/openjdk/8012277-improve_dataflavour.patch,
* patches/openjdk/8012425-transform_transformfactory.patch,
* patches/openjdk/8012453-runtime.exec.patch,
* patches/openjdk/8013380-logger_stack_walk_glassfish.patch,
* patches/openjdk/8013503-improve_stream_factories.patch,
* patches/openjdk/8013506-better_pack200.patch,
* patches/openjdk/8013510-augment_image_writing.patch,
* patches/openjdk/8013514-improve_cmap_stability.patch,
* patches/openjdk/8013739-better_ldap_resource_management.patch,
* patches/openjdk/8013744-better_tabling.patch,
* patches/openjdk/8013827-createtempfile_hang.patch,
* patches/openjdk/8014085-better_serialization.patch,
* patches/openjdk/8014093-improve_image_parsing.patch,
* patches/openjdk/8014102-improve_image_conversion.patch,
* patches/openjdk/8014341-better_kerberos_service.patch,
* patches/openjdk/8014349-getdeclaredclass_fix.patch,
* patches/openjdk/8014530-better_dsp.patch,
* patches/openjdk/8014534-better_profiling.patch,
* patches/openjdk/8014745-logger_stack_walk_switch.patch,
* patches/openjdk/8014987-augment_serialization.patch,
* patches/openjdk/8015144-performance_regression.patch,
* patches/openjdk/8015614-update_build.patch,
* patches/openjdk/8015731-auth_improvements.patch,
* patches/openjdk/8015743-address_internet_addresses.patch,
* patches/openjdk/8015965-typo_in_property_name.patch,
* patches/openjdk/8015978-incorrect_transformation.patch,
* patches/openjdk/8016256-finalization_final.patch,
* patches/openjdk/8016357-update_hs_diagnostic_class.patch,
* patches/openjdk/8016653-ignoreable_characters.patch,
* patches/openjdk/8016675-robust_javadoc.patch,
* patches/openjdk/8017196-ensure_proxies_are_handled_appropriately-jdk.patch,
* patches/openjdk/8017196-ensure_proxies_are_handled_appropriately.patch,
* patches/openjdk/8017287-better_resource_disposal.patch,
* patches/openjdk/8017291-cast_proxies_aside.patch,
* patches/openjdk/8017298-better_xml_support.patch,
* patches/openjdk/8017300-improve_interface_implementation.patch,
* patches/openjdk/8017505-better_client_service.patch,
* patches/openjdk/8017566-backout_part_of_8000450.patch,
* patches/openjdk/8019292-better_attribute_value_exceptions.patch,
* patches/openjdk/8019584-invalid_notification_fix.patch,
* patches/openjdk/8019617-better_view_of_objects.patch,
* patches/openjdk/8019969-inet6_test_case_fix.patch,
* patches/openjdk/8019979-better_access_test.patch,
* patches/openjdk/8020293-jvm_crash.patch,
* patches/openjdk/8021290-signature_validation.patch,
* patches/openjdk/8021355-splashscreen_regression.patch,
* patches/openjdk/8021366-jaxp_test_fix-01.patch,
* patches/openjdk/8021577-bean_serialization_fix.patch,
* patches/openjdk/8021933-jaxp_test_fix-02.patch,
* patches/openjdk/8021969-jnlp_load_failure.patch,
* patches/openjdk/8022661-writeobject_flush.patch,
* patches/openjdk/8022682-supporting_xom.patch,
* patches/openjdk/8022940-enhance_corba_translations.patch,
* patches/openjdk/8023683-enhance_class_file_parsing.patch,
* patches/openjdk/8023964-ignore_test.patch,
* patches/openjdk/8024914-swapped_usage.patch,
* patches/openjdk/8025128-createtempfile_absolute_prefix.patch,
* patches/openjdk/oj6-19-fix_8010118_test_cases.patch,
* patches/openjdk/oj6-20-merge.patch,
* patches/openjdk/oj6-21-overrides.patch: Added.
author | Andrew John Hughes <gnu.andrew@redhat.com> |
---|---|
date | Thu, 31 Oct 2013 00:22:07 +0000 |
parents | |
children |
line wrap: on
line source
# HG changeset patch # User jbachorik # Date 1371711107 -7200 # Thu Jun 20 08:51:47 2013 +0200 # Node ID a9be60a78488c7b261b92d927d1272afe2484e6b # Parent d10e47deb098d4af5d58a8bfe92dc8033e5ef6f7 8014085: Better serialization support in JMX classes Reviewed-by: alanb, dfuchs, skoivu diff -r d10e47deb098 -r a9be60a78488 src/share/classes/javax/management/MBeanNotificationInfo.java --- openjdk/jdk/src/share/classes/javax/management/MBeanNotificationInfo.java Tue Oct 15 16:47:11 2013 +0100 +++ openjdk/jdk/src/share/classes/javax/management/MBeanNotificationInfo.java Thu Jun 20 08:51:47 2013 +0200 @@ -25,6 +25,9 @@ package javax.management; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.util.Arrays; /** @@ -67,7 +70,7 @@ /** * @serial The different types of the notification. */ - private final String[] types; + private String[] types; /** @see MBeanInfo#arrayGettersSafe */ private final transient boolean arrayGettersSafe; @@ -114,9 +117,8 @@ notifType, though it doesn't explicitly allow it either. */ - if (notifTypes == null) - notifTypes = NO_TYPES; - this.types = notifTypes; + this.types = (notifTypes != null && notifTypes.length > 0) ? + notifTypes.clone() : NO_TYPES; this.arrayGettersSafe = MBeanInfo.arrayGettersSafe(this.getClass(), MBeanNotificationInfo.class); @@ -203,4 +205,16 @@ hash ^= types[i].hashCode(); return hash; } + + private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException { + ObjectInputStream.GetField gf = ois.readFields(); + String[] t = (String[])gf.get("types", null); + + if (t == null) { + throw new InvalidObjectException("Trying to deserialize an invalid " + + "instance of " + MBeanNotificationInfo.class + + "[types=null]"); + } + types = t.length == 0 ? t : t.clone(); + } } diff -r d10e47deb098 -r a9be60a78488 src/share/classes/javax/management/remote/JMXPrincipal.java --- openjdk/jdk/src/share/classes/javax/management/remote/JMXPrincipal.java Tue Oct 15 16:47:11 2013 +0100 +++ openjdk/jdk/src/share/classes/javax/management/remote/JMXPrincipal.java Thu Jun 20 08:51:47 2013 +0200 @@ -26,6 +26,9 @@ package javax.management.remote; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.io.Serializable; import java.security.Principal; @@ -64,9 +67,7 @@ * <code>null</code>. */ public JMXPrincipal(String name) { - if (name == null) - throw new NullPointerException("illegal null input"); - + validate(name); this.name = name; } @@ -130,4 +131,20 @@ public int hashCode() { return name.hashCode(); } + + private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException { + ObjectInputStream.GetField gf = ois.readFields(); + String principalName = (String)gf.get("name", null); + try { + validate(principalName); + this.name = principalName; + } catch (NullPointerException e) { + throw new InvalidObjectException(e.getMessage()); + } + } + + private static void validate(String name) throws NullPointerException { + if (name == null) + throw new NullPointerException("illegal null input"); + } } diff -r d10e47deb098 -r a9be60a78488 src/share/classes/javax/management/remote/JMXServiceURL.java --- openjdk/jdk/src/share/classes/javax/management/remote/JMXServiceURL.java Tue Oct 15 16:47:11 2013 +0100 +++ openjdk/jdk/src/share/classes/javax/management/remote/JMXServiceURL.java Thu Jun 20 08:51:47 2013 +0200 @@ -29,6 +29,9 @@ import com.sun.jmx.remote.util.ClassLogger; import com.sun.jmx.remote.util.EnvHelp; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.io.Serializable; import java.net.InetAddress; @@ -299,7 +302,7 @@ If we're given an explicit host name that is illegal we have to reject it. (Bug 5057532.) */ try { - validateHost(host); + validateHost(host, port); } catch (MalformedURLException e) { if (logger.fineOn()) { logger.fine("JMXServiceURL", @@ -338,36 +341,82 @@ validate(); } - private void validate() throws MalformedURLException { + private static final String INVALID_INSTANCE_MSG = + "Trying to deserialize an invalid instance of JMXServiceURL"; + private void readObject(ObjectInputStream inputStream) throws IOException, ClassNotFoundException { + ObjectInputStream.GetField gf = inputStream.readFields(); + String h = (String)gf.get("host", null); + int p = (int)gf.get("port", -1); + String proto = (String)gf.get("protocol", null); + String url = (String)gf.get("urlPath", null); + if (proto == null || url == null || h == null) { + StringBuilder sb = new StringBuilder(INVALID_INSTANCE_MSG).append('['); + boolean empty = true; + if (proto == null) { + sb.append("protocol=null"); + empty = false; + } + if (h == null) { + sb.append(empty ? "" : ",").append("host=null"); + empty = false; + } + if (url == null) { + sb.append(empty ? "" : ",").append("urlPath=null"); + } + sb.append(']'); + throw new InvalidObjectException(sb.toString()); + } + + if (h.contains("[") || h.contains("]")) { + throw new InvalidObjectException("Invalid host name: " + h); + } + + try { + validate(proto, h, p, url); + this.protocol = proto; + this.host = h; + this.port = p; + this.urlPath = url; + } catch (MalformedURLException e) { + throw new InvalidObjectException(INVALID_INSTANCE_MSG + ": " + + e.getMessage()); + } + + } + + private void validate(String proto, String h, int p, String url) + throws MalformedURLException { // Check protocol - - final int protoEnd = indexOfFirstNotInSet(protocol, protocolBitSet, 0); - if (protoEnd == 0 || protoEnd < protocol.length() - || !alphaBitSet.get(protocol.charAt(0))) { + final int protoEnd = indexOfFirstNotInSet(proto, protocolBitSet, 0); + if (protoEnd == 0 || protoEnd < proto.length() + || !alphaBitSet.get(proto.charAt(0))) { throw new MalformedURLException("Missing or invalid protocol " + - "name: \"" + protocol + "\""); + "name: \"" + proto + "\""); } // Check host - - validateHost(); + validateHost(h, p); // Check port - - if (port < 0) - throw new MalformedURLException("Bad port: " + port); + if (p < 0) + throw new MalformedURLException("Bad port: " + p); // Check URL path - - if (urlPath.length() > 0) { - if (!urlPath.startsWith("/") && !urlPath.startsWith(";")) - throw new MalformedURLException("Bad URL path: " + urlPath); + if (url.length() > 0) { + if (!url.startsWith("/") && !url.startsWith(";")) + throw new MalformedURLException("Bad URL path: " + url); } } - private void validateHost() throws MalformedURLException { - if (host.length() == 0) { + private void validate() throws MalformedURLException { + validate(this.protocol, this.host, this.port, this.urlPath); + } + + private static void validateHost(String h, int port) + throws MalformedURLException { + + if (h.length() == 0) { if (port != 0) { throw new MalformedURLException("Cannot give port number " + "without host name"); @@ -375,12 +424,6 @@ return; } - validateHost(host); - } - - private static void validateHost(String h) - throws MalformedURLException { - if (isNumericIPv6Address(h)) { /* We assume J2SE >= 1.4 here. Otherwise you can't use the address anyway. We can't call @@ -670,22 +713,22 @@ /** * The value returned by {@link #getProtocol()}. */ - private final String protocol; + private String protocol; /** * The value returned by {@link #getHost()}. */ - private final String host; + private String host; /** * The value returned by {@link #getPort()}. */ - private final int port; + private int port; /** * The value returned by {@link #getURLPath()}. */ - private final String urlPath; + private String urlPath; /** * Cached result of {@link #toString()}. diff -r d10e47deb098 -r a9be60a78488 src/share/classes/javax/management/remote/NotificationResult.java --- openjdk/jdk/src/share/classes/javax/management/remote/NotificationResult.java Tue Oct 15 16:47:11 2013 +0100 +++ openjdk/jdk/src/share/classes/javax/management/remote/NotificationResult.java Thu Jun 20 08:51:47 2013 +0200 @@ -25,6 +25,9 @@ package javax.management.remote; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.io.Serializable; /** @@ -76,17 +79,7 @@ public NotificationResult(long earliestSequenceNumber, long nextSequenceNumber, TargetedNotification[] targetedNotifications) { - if (targetedNotifications == null) { - final String msg = "Notifications null"; - throw new IllegalArgumentException(msg); - } - - if (earliestSequenceNumber < 0 || nextSequenceNumber < 0) - throw new IllegalArgumentException("Bad sequence numbers"); - /* We used to check nextSequenceNumber >= earliestSequenceNumber - here. But in fact the opposite can legitimately be true if - notifications have been lost. */ - + validate(targetedNotifications, earliestSequenceNumber, nextSequenceNumber); this.earliestSequenceNumber = earliestSequenceNumber; this.nextSequenceNumber = nextSequenceNumber; this.targetedNotifications = (targetedNotifications.length == 0 ? targetedNotifications : targetedNotifications.clone()); @@ -138,7 +131,39 @@ getTargetedNotifications().length; } - private final long earliestSequenceNumber; - private final long nextSequenceNumber; - private final TargetedNotification[] targetedNotifications; + private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException { + ObjectInputStream.GetField gf = ois.readFields(); + TargetedNotification[] tNotifs = (TargetedNotification[])gf.get("targetedNotifications", null); + long snStart = gf.get("earliestSequenceNumber", -1L); + long snNext = gf.get("nextSequenceNumber", -1L); + try { + validate(tNotifs, snStart, snNext); + + this.targetedNotifications = tNotifs.length == 0 ? tNotifs : tNotifs.clone(); + this.earliestSequenceNumber = snStart; + this.nextSequenceNumber = snNext; + } catch (IllegalArgumentException e) { + throw new InvalidObjectException(e.getMessage()); + } + } + + private long earliestSequenceNumber; + private long nextSequenceNumber; + private TargetedNotification[] targetedNotifications; + + private static void validate(TargetedNotification[] targetedNotifications, + long earliestSequenceNumber, + long nextSequenceNumber) + throws IllegalArgumentException { + if (targetedNotifications == null) { + final String msg = "Notifications null"; + throw new IllegalArgumentException(msg); + } + + if (earliestSequenceNumber < 0 || nextSequenceNumber < 0) + throw new IllegalArgumentException("Bad sequence numbers"); + /* We used to check nextSequenceNumber >= earliestSequenceNumber + here. But in fact the opposite can legitimately be true if + notifications have been lost. */ + } } diff -r d10e47deb098 -r a9be60a78488 src/share/classes/javax/management/remote/TargetedNotification.java --- openjdk/jdk/src/share/classes/javax/management/remote/TargetedNotification.java Tue Oct 15 16:47:11 2013 +0100 +++ openjdk/jdk/src/share/classes/javax/management/remote/TargetedNotification.java Thu Jun 20 08:51:47 2013 +0200 @@ -26,6 +26,9 @@ package javax.management.remote; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.io.Serializable; import javax.management.Notification; @@ -73,12 +76,9 @@ */ public TargetedNotification(Notification notification, Integer listenerID) { + validate(notification, listenerID); // If we replace integer with int... // this(notification,intValue(listenerID)); - if (notification == null) throw new - IllegalArgumentException("Invalid notification: null"); - if (listenerID == null) throw new - IllegalArgumentException("Invalid listener ID: null"); this.notif = notification; this.id = listenerID; } @@ -115,13 +115,13 @@ * @serial A notification to transmit to the other side. * @see #getNotification() **/ - private final Notification notif; + private Notification notif; /** * @serial The ID of the listener to which the notification is * targeted. * @see #getListenerID() **/ - private final Integer id; + private Integer id; //private final int id; // Needed if we use int instead of Integer... @@ -130,4 +130,26 @@ // IllegalArgumentException("Invalid listener ID: null"); // return id.intValue(); // } + + private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException { + ObjectInputStream.GetField gf = ois.readFields(); + Notification notification = (Notification)gf.get("notif", null); + Integer listenerId = (Integer)gf.get("id", null); + try { + validate(notification, listenerId); + this.notif = notification; + this.id = listenerId; + } catch (IllegalArgumentException e) { + throw new InvalidObjectException(e.getMessage()); + } + } + + private static void validate(Notification notif, Integer id) throws IllegalArgumentException { + if (notif == null) { + throw new IllegalArgumentException("Invalid notification: null"); + } + if (id == null) { + throw new IllegalArgumentException("Invalid listener ID: null"); + } + } }