Mercurial > hg > release > icedtea6-1.11

view patches/security/20130618/8007467-improve_jmx_internal_api_robustness.patch @ 2907:d7eca687b7d2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add 2013/06/18 security patches. 2013-06-22 Andrew John Hughes <gnu.andrew@member.fsf.org> * patches/idresolver_fix.patch: Removed. Part of 6469266. * Makefile.am: (SECURITY_PATCHES): Add new ones. (SPECIAL_SECURITY_PATCH_1): Renamed from SPECIAL_SECURITY_PATCH. (SPECIAL_SECURITY_PATCH_2): Add 8009071, which needs to be applied after some AWT backports. (ICEDTEA_PATCHES): Use SPECIAL_SECURITY_PATCH_{1,2}. Move 8005615, 8007393 & 8007611 to SECURITY_PATCHES as must be applied before 8004584. Add 7171223 to end. * patches/openjdk/6307603-xrender-01.patch, * patches/openjdk/6469266-xmlsec_1.4.2.patch, * patches/openjdk/6656651-windows_lcd_glyphs.patch, * patches/openjdk/6786028-wcag_bold_tags.patch, * patches/openjdk/6786682-wcag_lang.patch, * patches/openjdk/6786688-wcag_table.patch, * patches/openjdk/6786690-wcag_dl.patch, * patches/openjdk/6802694-no_deprecated.patch, * patches/openjdk/6851834-restructure.patch, * patches/openjdk/6888167-medialib_memory_leaks.patch, * patches/openjdk/6961178-doclet_xml.patch, * patches/openjdk/6990754-use_native_memory_for_symboltable.patch, * patches/openjdk/7006270-regressions.patch, * patches/openjdk/7008809-report_class_in_arraystoreexception.patch, * patches/openjdk/7014851-unused_parallel_compaction_code.patch, * patches/openjdk/7017732-move_static_fields_to_class.patch, * patches/openjdk/7036747-elfstringtable.patch, * patches/openjdk/7086585-flexible_field_injection.patch, * patches/openjdk/7171223-strict_aliasing.patch, * patches/openjdk/7195301-no_instanceof_node.patch, * patches/security/20130618/6741606-apache_santuario.patch, * patches/security/20130618/7158805-nested_subroutine_rewriting.patch, * patches/security/20130618/7170730-windows_network_stack.patch, * patches/security/20130618/8000638-improve_deserialization.patch, * patches/security/20130618/8000642-better_transportation_handling.patch, * patches/security/20130618/8001032-restrict_object_access-corba.patch, * patches/security/20130618/8001032-restrict_object_access-jdk.patch, * patches/security/20130618/8001033-refactor_address_handling.patch, * patches/security/20130618/8001034-memory_management.patch, * patches/security/20130618/8001038-resourcefully_handle_resources.patch, * patches/security/20130618/8001043-clarify_definition_restrictions.patch, * patches/security/20130618/8001309-better_handling_of_annotation_interfaces.patch, * patches/security/20130618/8001318-6_fixup.patch, * patches/security/20130618/8001318-socket_getlocaladdress_consistency.patch, * patches/security/20130618/8001330-checking_order_improvement.patch, * patches/security/20130618/8001330-improve_checking_order.patch, * patches/security/20130618/8003703-update_rmi_connection_dialog.patch, * patches/security/20130618/8004584-augment_applet_contextualization.patch, * patches/security/20130618/8005007-better_glyph_processing.patch, * patches/security/20130618/8006328-6_fixup.patch, * patches/security/20130618/8006328-sound_class_robustness.patch, * patches/security/20130618/8006611-improve_scripting.patch, * patches/security/20130618/8007467-improve_jmx_internal_api_robustness.patch, * patches/security/20130618/8007471-6_fixup.patch, * patches/security/20130618/8007471-improve_mbean_notifications.patch, * patches/security/20130618/8007812-getenclosingmethod.patch, * patches/security/20130618/8008120-improve_jmx_class_checking.patch, * patches/security/20130618/8008124-better_compliance_testing.patch, * patches/security/20130618/8008128-better_jmx_api_coherence.patch, * patches/security/20130618/8008132-better_serialization.patch, * patches/security/20130618/8008585-jmx_data_handling.patch, * patches/security/20130618/8008593-better_urlclassloader.patch, * patches/security/20130618/8008603-jmx_provider_provision.patch, * patches/security/20130618/8008611-6_fixup.patch, * patches/security/20130618/8008611-jmx_annotations.patch, * patches/security/20130618/8008615-jmx_internal_api_robustness.patch, * patches/security/20130618/8008623-mbeanserver_handling.patch, * patches/security/20130618/8008744-6741606_rework.patch, * patches/security/20130618/8008982-jmx_interface_changes.patch, * patches/security/20130618/8009004-rmi_connection_improvement.patch, * patches/security/20130618/8009013-t2k_glyphs.patch, * patches/security/20130618/8009034-jmx_notification_improvement.patch, * patches/security/20130618/8009038-jmx_notification_support_improvement.patch, * patches/security/20130618/8009067-improve_key_storing.patch, * patches/security/20130618/8009071-improve_shape_handling.patch, * patches/security/20130618/8009235-improve_tsa_data_handling.patch, * patches/security/20130618/8009554-serialjavaobject.patch, * patches/security/20130618/8011243-improve_imaginglib.patch, * patches/security/20130618/8011248-better_component_rasters.patch, * patches/security/20130618/8011253-better_short_component_rasters.patch, * patches/security/20130618/8011257-better_byte_component_rasters.patch, * patches/security/20130618/8011557-improve_reflection.patch, * patches/security/20130618/8012375-javadoc_framing.patch, * patches/security/20130618/8012421-better_positioning.patch, * patches/security/20130618/8012438-better_image_validation.patch, * patches/security/20130618/8012597-better_image_channel_validation.patch, * patches/security/20130618/8012601-better_layout_validation.patch, * patches/security/20130618/8014281-better_xml_signature_checking.patch, * patches/security/20130618/8015997-more_javadoc_framing.patch, * patches/security/20130618/diamond_fix.patch, * patches/security/20130618/handle_npe.patch, * patches/security/20130618/hs_merge-01.patch, * patches/security/20130618/hs_merge-02.patch, * patches/security/20130618/hs_merge-03.patch, * patches/security/20130618/hs_merge-04.patch, * patches/security/20130618/javac_issue.patch, * patches/security/20130618/langtools_generics.patch, * patches/security/20130618/langtools_merge-01.patch, * patches/security/20130618/langtools_merge-02.patch, * patches/security/20130618/langtools_merge-03.patch: 2013/06/18 security patches.
author Andrew John Hughes <gnu.andrew@redhat.com>
date Sat, 22 Jun 2013 16:38:24 -0500
parents
children
line wrap: on
line source

# HG changeset patch
# User andrew
# Date 1371404383 18000
# Node ID 65ed365feeae0a68d89dd63143b6be3c0be11c81
# Parent  1d5eff0bd9b504b7191279bfc6a417f6a2e2251f
8007467: Improve robustness of JMX internal APIs
Reviewed-by: dfuchs, mchung, skoivu

diff --git a/src/share/classes/com/sun/jmx/mbeanserver/ConvertingMethod.java b/src/share/classes/com/sun/jmx/mbeanserver/ConvertingMethod.java
--- openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/ConvertingMethod.java
+++ openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/ConvertingMethod.java
@@ -33,6 +33,7 @@
 import javax.management.MBeanException;
 import javax.management.openmbean.OpenDataException;
 import javax.management.openmbean.OpenType;
+import sun.reflect.misc.MethodUtil;
 
 final class ConvertingMethod {
     static ConvertingMethod from(Method m) {
@@ -177,7 +178,7 @@
                 "from open values: " + e;
             throw new MBeanException(e, msg);
         }
-        final Object javaReturn = method.invoke(obj, javaParams);
+        final Object javaReturn = MethodUtil.invoke(method, obj, javaParams);
         try {
             return returnConverter.toOpenValue(lookup, javaReturn);
         } catch (OpenDataException e) {
diff --git a/src/share/classes/com/sun/jmx/mbeanserver/StandardMBeanIntrospector.java b/src/share/classes/com/sun/jmx/mbeanserver/StandardMBeanIntrospector.java
--- openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/StandardMBeanIntrospector.java
+++ openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/StandardMBeanIntrospector.java
@@ -38,6 +38,7 @@
 import javax.management.NotCompliantMBeanException;
 import javax.management.NotificationBroadcaster;
 import javax.management.NotificationBroadcasterSupport;
+import sun.reflect.misc.MethodUtil;
 
 /**
  * @since 1.6
@@ -108,7 +109,7 @@
     Object invokeM2(Method m, Object target, Object[] args, Object cookie)
             throws InvocationTargetException, IllegalAccessException,
                    MBeanException {
-        return m.invoke(target, args);
+        return MethodUtil.invoke(m, target, args);
     }
 
     @Override
diff --git a/src/share/classes/javax/management/openmbean/CompositeDataInvocationHandler.java b/src/share/classes/javax/management/openmbean/CompositeDataInvocationHandler.java
--- openjdk/jdk/src/share/classes/javax/management/openmbean/CompositeDataInvocationHandler.java
+++ openjdk/jdk/src/share/classes/javax/management/openmbean/CompositeDataInvocationHandler.java
@@ -172,6 +172,8 @@
                    the only non-final methods in Object that are not
                    handled above are finalize and clone, and these
                    are not overridden in generated proxies.  */
+                // this plain Method.invoke is called only if the declaring class
+                // is Object and so it's safe.
                 return method.invoke(this, args);
             }
         }
diff --git a/src/share/classes/javax/management/openmbean/OpenMBeanAttributeInfoSupport.java b/src/share/classes/javax/management/openmbean/OpenMBeanAttributeInfoSupport.java
--- openjdk/jdk/src/share/classes/javax/management/openmbean/OpenMBeanAttributeInfoSupport.java
+++ openjdk/jdk/src/share/classes/javax/management/openmbean/OpenMBeanAttributeInfoSupport.java
@@ -45,6 +45,9 @@
 import javax.management.ImmutableDescriptor;
 import javax.management.MBeanAttributeInfo;
 import com.sun.jmx.remote.util.EnvHelp;
+import sun.reflect.misc.ConstructorUtil;
+import sun.reflect.misc.MethodUtil;
+import sun.reflect.misc.ReflectUtil;
 
 /**
  * Describes an attribute of an open MBean.
@@ -690,6 +693,7 @@
     private static <T> T convertFromString(String s, OpenType<T> openType) {
         Class<T> c;
         try {
+            ReflectUtil.checkPackageAccess(openType.safeGetClassName());
             c = cast(Class.forName(openType.safeGetClassName()));
         } catch (ClassNotFoundException e) {
             throw new NoClassDefFoundError(e.toString());  // can't happen
@@ -698,6 +702,8 @@
         // Look for: public static T valueOf(String)
         Method valueOf;
         try {
+            // It is safe to call this plain Class.getMethod because the class "c"
+            // was checked before by ReflectUtil.checkPackageAccess(openType.safeGetClassName());
             valueOf = c.getMethod("valueOf", String.class);
             if (!Modifier.isStatic(valueOf.getModifiers()) ||
                     valueOf.getReturnType() != c)
@@ -707,7 +713,7 @@
         }
         if (valueOf != null) {
             try {
-                return c.cast(valueOf.invoke(null, s));
+                return c.cast(MethodUtil.invoke(valueOf, null, new Object[] {s}));
             } catch (Exception e) {
                 final String msg =
                     "Could not convert \"" + s + "\" using method: " + valueOf;
@@ -718,6 +724,8 @@
         // Look for: public T(String)
         Constructor<T> con;
         try {
+            // It is safe to call this plain Class.getConstructor because the class "c"
+            // was checked before by ReflectUtil.checkPackageAccess(openType.safeGetClassName());
             con = c.getConstructor(String.class);
         } catch (NoSuchMethodException e) {
             con = null;