Mercurial > hg > release > icedtea6-1.11
view patches/security/20130618/8008120-improve_jmx_class_checking.patch @ 2907:d7eca687b7d2
Add 2013/06/18 security patches.
2013-06-22 Andrew John Hughes <gnu.andrew@member.fsf.org>
* patches/idresolver_fix.patch:
Removed. Part of 6469266.
* Makefile.am:
(SECURITY_PATCHES): Add new ones.
(SPECIAL_SECURITY_PATCH_1): Renamed from
SPECIAL_SECURITY_PATCH.
(SPECIAL_SECURITY_PATCH_2): Add 8009071, which
needs to be applied after some AWT backports.
(ICEDTEA_PATCHES): Use SPECIAL_SECURITY_PATCH_{1,2}.
Move 8005615, 8007393 & 8007611 to SECURITY_PATCHES
as must be applied before 8004584. Add 7171223 to
end.
* patches/openjdk/6307603-xrender-01.patch,
* patches/openjdk/6469266-xmlsec_1.4.2.patch,
* patches/openjdk/6656651-windows_lcd_glyphs.patch,
* patches/openjdk/6786028-wcag_bold_tags.patch,
* patches/openjdk/6786682-wcag_lang.patch,
* patches/openjdk/6786688-wcag_table.patch,
* patches/openjdk/6786690-wcag_dl.patch,
* patches/openjdk/6802694-no_deprecated.patch,
* patches/openjdk/6851834-restructure.patch,
* patches/openjdk/6888167-medialib_memory_leaks.patch,
* patches/openjdk/6961178-doclet_xml.patch,
* patches/openjdk/6990754-use_native_memory_for_symboltable.patch,
* patches/openjdk/7006270-regressions.patch,
* patches/openjdk/7008809-report_class_in_arraystoreexception.patch,
* patches/openjdk/7014851-unused_parallel_compaction_code.patch,
* patches/openjdk/7017732-move_static_fields_to_class.patch,
* patches/openjdk/7036747-elfstringtable.patch,
* patches/openjdk/7086585-flexible_field_injection.patch,
* patches/openjdk/7171223-strict_aliasing.patch,
* patches/openjdk/7195301-no_instanceof_node.patch,
* patches/security/20130618/6741606-apache_santuario.patch,
* patches/security/20130618/7158805-nested_subroutine_rewriting.patch,
* patches/security/20130618/7170730-windows_network_stack.patch,
* patches/security/20130618/8000638-improve_deserialization.patch,
* patches/security/20130618/8000642-better_transportation_handling.patch,
* patches/security/20130618/8001032-restrict_object_access-corba.patch,
* patches/security/20130618/8001032-restrict_object_access-jdk.patch,
* patches/security/20130618/8001033-refactor_address_handling.patch,
* patches/security/20130618/8001034-memory_management.patch,
* patches/security/20130618/8001038-resourcefully_handle_resources.patch,
* patches/security/20130618/8001043-clarify_definition_restrictions.patch,
* patches/security/20130618/8001309-better_handling_of_annotation_interfaces.patch,
* patches/security/20130618/8001318-6_fixup.patch,
* patches/security/20130618/8001318-socket_getlocaladdress_consistency.patch,
* patches/security/20130618/8001330-checking_order_improvement.patch,
* patches/security/20130618/8001330-improve_checking_order.patch,
* patches/security/20130618/8003703-update_rmi_connection_dialog.patch,
* patches/security/20130618/8004584-augment_applet_contextualization.patch,
* patches/security/20130618/8005007-better_glyph_processing.patch,
* patches/security/20130618/8006328-6_fixup.patch,
* patches/security/20130618/8006328-sound_class_robustness.patch,
* patches/security/20130618/8006611-improve_scripting.patch,
* patches/security/20130618/8007467-improve_jmx_internal_api_robustness.patch,
* patches/security/20130618/8007471-6_fixup.patch,
* patches/security/20130618/8007471-improve_mbean_notifications.patch,
* patches/security/20130618/8007812-getenclosingmethod.patch,
* patches/security/20130618/8008120-improve_jmx_class_checking.patch,
* patches/security/20130618/8008124-better_compliance_testing.patch,
* patches/security/20130618/8008128-better_jmx_api_coherence.patch,
* patches/security/20130618/8008132-better_serialization.patch,
* patches/security/20130618/8008585-jmx_data_handling.patch,
* patches/security/20130618/8008593-better_urlclassloader.patch,
* patches/security/20130618/8008603-jmx_provider_provision.patch,
* patches/security/20130618/8008611-6_fixup.patch,
* patches/security/20130618/8008611-jmx_annotations.patch,
* patches/security/20130618/8008615-jmx_internal_api_robustness.patch,
* patches/security/20130618/8008623-mbeanserver_handling.patch,
* patches/security/20130618/8008744-6741606_rework.patch,
* patches/security/20130618/8008982-jmx_interface_changes.patch,
* patches/security/20130618/8009004-rmi_connection_improvement.patch,
* patches/security/20130618/8009013-t2k_glyphs.patch,
* patches/security/20130618/8009034-jmx_notification_improvement.patch,
* patches/security/20130618/8009038-jmx_notification_support_improvement.patch,
* patches/security/20130618/8009067-improve_key_storing.patch,
* patches/security/20130618/8009071-improve_shape_handling.patch,
* patches/security/20130618/8009235-improve_tsa_data_handling.patch,
* patches/security/20130618/8009554-serialjavaobject.patch,
* patches/security/20130618/8011243-improve_imaginglib.patch,
* patches/security/20130618/8011248-better_component_rasters.patch,
* patches/security/20130618/8011253-better_short_component_rasters.patch,
* patches/security/20130618/8011257-better_byte_component_rasters.patch,
* patches/security/20130618/8011557-improve_reflection.patch,
* patches/security/20130618/8012375-javadoc_framing.patch,
* patches/security/20130618/8012421-better_positioning.patch,
* patches/security/20130618/8012438-better_image_validation.patch,
* patches/security/20130618/8012597-better_image_channel_validation.patch,
* patches/security/20130618/8012601-better_layout_validation.patch,
* patches/security/20130618/8014281-better_xml_signature_checking.patch,
* patches/security/20130618/8015997-more_javadoc_framing.patch,
* patches/security/20130618/diamond_fix.patch,
* patches/security/20130618/handle_npe.patch,
* patches/security/20130618/hs_merge-01.patch,
* patches/security/20130618/hs_merge-02.patch,
* patches/security/20130618/hs_merge-03.patch,
* patches/security/20130618/hs_merge-04.patch,
* patches/security/20130618/javac_issue.patch,
* patches/security/20130618/langtools_generics.patch,
* patches/security/20130618/langtools_merge-01.patch,
* patches/security/20130618/langtools_merge-02.patch,
* patches/security/20130618/langtools_merge-03.patch:
2013/06/18 security patches.
author | Andrew John Hughes <gnu.andrew@redhat.com> |
---|---|
date | Sat, 22 Jun 2013 16:38:24 -0500 |
parents | |
children |
line wrap: on
line source
# HG changeset patch # User andrew # Date 1371483960 18000 # Node ID 100c93da24f90ae93063fdd0affbc29c691424e8 # Parent a9d86a9899a5ecfdb22e5ca279a834771684b0fe 8008120: Improve JMX class checking Summary: Improve JMX class checking Reviewed-by: mchung, dfuchs, alanb, skoivu diff --git a/src/share/classes/javax/management/relation/RelationNotification.java b/src/share/classes/javax/management/relation/RelationNotification.java --- openjdk/jdk/src/share/classes/javax/management/relation/RelationNotification.java +++ openjdk/jdk/src/share/classes/javax/management/relation/RelationNotification.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,7 @@ import javax.management.Notification; import javax.management.ObjectName; +import java.io.InvalidObjectException; import java.io.IOException; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; @@ -37,8 +38,11 @@ import java.security.PrivilegedAction; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; +import java.util.HashSet; import java.util.List; +import java.util.Set; import com.sun.jmx.mbeanserver.GetPropertyAction; import static com.sun.jmx.mbeanserver.Util.cast; @@ -256,21 +260,14 @@ super(notifType, sourceObj, sequence, timeStamp, message); - // Can throw IllegalArgumentException - initMembers(1, - notifType, - sourceObj, - sequence, - timeStamp, - message, - id, - typeName, - objectName, - unregMBeanList, - null, - null, - null); - return; + if (!isValidBasic(notifType,sourceObj,id,typeName) || !isValidCreate(notifType)) { + throw new IllegalArgumentException("Invalid parameter."); + } + + relationId = id; + relationTypeName = typeName; + relationObjName = safeGetObjectName(objectName); + unregisterMBeanList = safeGetObjectNameList(unregMBeanList); } /** @@ -313,21 +310,17 @@ super(notifType, sourceObj, sequence, timeStamp, message); - // Can throw IllegalArgumentException - initMembers(2, - notifType, - sourceObj, - sequence, - timeStamp, - message, - id, - typeName, - objectName, - null, - name, - newValue, - oldValue); - return; + if (!isValidBasic(notifType,sourceObj,id,typeName) || !isValidUpdate(notifType,name,newValue,oldValue)) { + throw new IllegalArgumentException("Invalid parameter."); + } + + relationId = id; + relationTypeName = typeName; + relationObjName = safeGetObjectName(objectName); + + roleName = name; + oldRoleValue = safeGetObjectNameList(oldValue); + newRoleValue = safeGetObjectNameList(newValue); } // @@ -463,83 +456,64 @@ // - no role name (for role update) // - no role old value (for role update) // - no role new value (for role update) - private void initMembers(int notifKind, - String notifType, - Object sourceObj, - long sequence, - long timeStamp, - String message, - String id, - String typeName, - ObjectName objectName, - List<ObjectName> unregMBeanList, - String name, - List<ObjectName> newValue, - List<ObjectName> oldValue) - throws IllegalArgumentException { - boolean badInitFlg = false; - - if (notifType == null || - sourceObj == null || - (!(sourceObj instanceof RelationService) && - !(sourceObj instanceof ObjectName)) || - id == null || - typeName == null) { - - badInitFlg = true; + private boolean isValidBasic(String notifType, Object sourceObj, String id, String typeName){ + if (notifType == null || sourceObj == null || + id == null || typeName == null) { + return false; } - if (notifKind == 1) { + if (!(sourceObj instanceof RelationService) && + !(sourceObj instanceof ObjectName)) { + return false; + } - if ((!(notifType.equals(RelationNotification.RELATION_BASIC_CREATION))) - && - (!(notifType.equals(RelationNotification.RELATION_MBEAN_CREATION))) - && - (!(notifType.equals(RelationNotification.RELATION_BASIC_REMOVAL))) - && - (!(notifType.equals(RelationNotification.RELATION_MBEAN_REMOVAL))) - ) { + return true; + } - // Creation/removal - badInitFlg = true; - } + private boolean isValidCreate(String notifType) { + String[] validTypes= {RelationNotification.RELATION_BASIC_CREATION, + RelationNotification.RELATION_MBEAN_CREATION, + RelationNotification.RELATION_BASIC_REMOVAL, + RelationNotification.RELATION_MBEAN_REMOVAL}; - } else if (notifKind == 2) { + Set<String> ctSet = new HashSet<String>(Arrays.asList(validTypes)); + return ctSet.contains(notifType); + } - if (((!(notifType.equals(RelationNotification.RELATION_BASIC_UPDATE))) - && - (!(notifType.equals(RelationNotification.RELATION_MBEAN_UPDATE)))) - || name == null || - oldValue == null || - newValue == null) { + private boolean isValidUpdate(String notifType, String name, + List<ObjectName> newValue, List<ObjectName> oldValue) { - // Role update - badInitFlg = true; + if (!(notifType.equals(RelationNotification.RELATION_BASIC_UPDATE)) && + !(notifType.equals(RelationNotification.RELATION_MBEAN_UPDATE))) { + return false; + } + + if (name == null || oldValue == null || newValue == null) { + return false; + } + + return true; + } + + private ArrayList<ObjectName> safeGetObjectNameList(List<ObjectName> src){ + ArrayList<ObjectName> dest = null; + if (src != null) { + dest = new ArrayList<ObjectName>(); + for (ObjectName item : src) { + // NPE thrown if we attempt to add null object + dest.add(ObjectName.getInstance(item)); } } + return dest; + } - if (badInitFlg) { - String excMsg = "Invalid parameter."; - throw new IllegalArgumentException(excMsg); + private ObjectName safeGetObjectName(ObjectName src){ + ObjectName dest = null; + if (src != null) { + dest = ObjectName.getInstance(src); } - - relationId = id; - relationTypeName = typeName; - relationObjName = objectName; - if (unregMBeanList != null) { - unregisterMBeanList = new ArrayList<ObjectName>(unregMBeanList); - } - if (name != null) { - roleName = name; - } - if (oldValue != null) { - oldRoleValue = new ArrayList<ObjectName>(oldValue); - } - if (newValue != null) { - newRoleValue = new ArrayList<ObjectName>(newValue); - } - return; + return dest; } /** @@ -547,53 +521,56 @@ */ private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { - if (compat) - { - // Read an object serialized in the old serial form - // + + String tmpRelationId, tmpRelationTypeName, tmpRoleName; + + ObjectName tmpRelationObjName; + List<ObjectName> tmpNewRoleValue, tmpOldRoleValue, tmpUnregMBeanList; + ObjectInputStream.GetField fields = in.readFields(); - newRoleValue = cast(fields.get("myNewRoleValue", null)); - if (fields.defaulted("myNewRoleValue")) - { - throw new NullPointerException("newRoleValue"); + + if (compat) { + tmpRelationId = (String)fields.get("myRelId", null); + tmpRelationTypeName = (String)fields.get("myRelTypeName", null); + tmpRoleName = (String)fields.get("myRoleName", null); + + tmpRelationObjName = (ObjectName)fields.get("myRelObjName", null); + tmpNewRoleValue = cast(fields.get("myNewRoleValue", null)); + tmpOldRoleValue = cast(fields.get("myOldRoleValue", null)); + tmpUnregMBeanList = cast(fields.get("myUnregMBeanList", null)); } - oldRoleValue = cast(fields.get("myOldRoleValue", null)); - if (fields.defaulted("myOldRoleValue")) - { - throw new NullPointerException("oldRoleValue"); + else { + tmpRelationId = (String)fields.get("relationId", null); + tmpRelationTypeName = (String)fields.get("relationTypeName", null); + tmpRoleName = (String)fields.get("roleName", null); + + tmpRelationObjName = (ObjectName)fields.get("relationObjName", null); + tmpNewRoleValue = cast(fields.get("newRoleValue", null)); + tmpOldRoleValue = cast(fields.get("oldRoleValue", null)); + tmpUnregMBeanList = cast(fields.get("unregisterMBeanList", null)); } - relationId = (String) fields.get("myRelId", null); - if (fields.defaulted("myRelId")) - { - throw new NullPointerException("relationId"); + + // Validate fields we just read, throw InvalidObjectException + // if something goes wrong + + String notifType = super.getType(); + if (!isValidBasic(notifType,super.getSource(),tmpRelationId,tmpRelationTypeName) || + (!isValidCreate(notifType) && + !isValidUpdate(notifType,tmpRoleName,tmpNewRoleValue,tmpOldRoleValue))) { + + super.setSource(null); + throw new InvalidObjectException("Invalid object read"); } - relationObjName = (ObjectName) fields.get("myRelObjName", null); - if (fields.defaulted("myRelObjName")) - { - throw new NullPointerException("relationObjName"); - } - relationTypeName = (String) fields.get("myRelTypeName", null); - if (fields.defaulted("myRelTypeName")) - { - throw new NullPointerException("relationTypeName"); - } - roleName = (String) fields.get("myRoleName", null); - if (fields.defaulted("myRoleName")) - { - throw new NullPointerException("roleName"); - } - unregisterMBeanList = cast(fields.get("myUnregMBeanList", null)); - if (fields.defaulted("myUnregMBeanList")) - { - throw new NullPointerException("unregisterMBeanList"); - } - } - else - { - // Read an object serialized in the new serial form - // - in.defaultReadObject(); - } + + // assign deserialized vaules to object fields + relationObjName = safeGetObjectName(tmpRelationObjName); + newRoleValue = safeGetObjectNameList(tmpNewRoleValue); + oldRoleValue = safeGetObjectNameList(tmpOldRoleValue); + unregisterMBeanList = safeGetObjectNameList(tmpUnregMBeanList); + + relationId = tmpRelationId; + relationTypeName = tmpRelationTypeName; + roleName = tmpRoleName; }