Mercurial > hg > release > icedtea6-1.12

view patches/security/20130618/8001318-socket_getlocaladdress_consistency.patch @ 3004:08ce3247b5b0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add 2013/06/18 security patches. 2013-06-22 Andrew John Hughes <gnu.andrew@member.fsf.org> * patches/idresolver_fix.patch: Removed. Part of 6469266. * Makefile.am: (SECURITY_PATCHES): Add new ones. (SPECIAL_SECURITY_PATCH_1): Renamed from SPECIAL_SECURITY_PATCH. (SPECIAL_SECURITY_PATCH_2): Add 8009071, which needs to be applied after some AWT backports. (ICEDTEA_PATCHES): Use SPECIAL_SECURITY_PATCH_{1,2}. Move 8005615, 8007393 & 8007611 to SECURITY_PATCHES as must be applied before 8004584. Add 7171223 to end. * patches/openjdk/6307603-xrender-01.patch, * patches/openjdk/6469266-xmlsec_1.4.2.patch, * patches/openjdk/6656651-windows_lcd_glyphs.patch, * patches/openjdk/6786028-wcag_bold_tags.patch, * patches/openjdk/6786682-wcag_lang.patch, * patches/openjdk/6786688-wcag_table.patch, * patches/openjdk/6786690-wcag_dl.patch, * patches/openjdk/6802694-no_deprecated.patch, * patches/openjdk/6851834-restructure.patch, * patches/openjdk/6888167-medialib_memory_leaks.patch, * patches/openjdk/6961178-doclet_xml.patch, * patches/openjdk/6990754-use_native_memory_for_symboltable.patch, * patches/openjdk/7006270-regressions.patch, * patches/openjdk/7008809-report_class_in_arraystoreexception.patch, * patches/openjdk/7014851-unused_parallel_compaction_code.patch, * patches/openjdk/7017732-move_static_fields_to_class.patch, * patches/openjdk/7036747-elfstringtable.patch, * patches/openjdk/7086585-flexible_field_injection.patch, * patches/openjdk/7171223-strict_aliasing.patch, * patches/openjdk/7195301-no_instanceof_node.patch, * patches/security/20130618/6741606-apache_santuario.patch, * patches/security/20130618/7158805-nested_subroutine_rewriting.patch, * patches/security/20130618/7170730-windows_network_stack.patch, * patches/security/20130618/8000638-improve_deserialization.patch, * patches/security/20130618/8000642-better_transportation_handling.patch, * patches/security/20130618/8001032-restrict_object_access-corba.patch, * patches/security/20130618/8001032-restrict_object_access-jdk.patch, * patches/security/20130618/8001033-refactor_address_handling.patch, * patches/security/20130618/8001034-memory_management.patch, * patches/security/20130618/8001038-resourcefully_handle_resources.patch, * patches/security/20130618/8001043-clarify_definition_restrictions.patch, * patches/security/20130618/8001309-better_handling_of_annotation_interfaces.patch, * patches/security/20130618/8001318-6_fixup.patch, * patches/security/20130618/8001318-socket_getlocaladdress_consistency.patch, * patches/security/20130618/8001330-checking_order_improvement.patch, * patches/security/20130618/8001330-improve_checking_order.patch, * patches/security/20130618/8003703-update_rmi_connection_dialog.patch, * patches/security/20130618/8004584-augment_applet_contextualization.patch, * patches/security/20130618/8005007-better_glyph_processing.patch, * patches/security/20130618/8006328-6_fixup.patch, * patches/security/20130618/8006328-sound_class_robustness.patch, * patches/security/20130618/8006611-improve_scripting.patch, * patches/security/20130618/8007467-improve_jmx_internal_api_robustness.patch, * patches/security/20130618/8007471-6_fixup.patch, * patches/security/20130618/8007471-improve_mbean_notifications.patch, * patches/security/20130618/8007812-getenclosingmethod.patch, * patches/security/20130618/8008120-improve_jmx_class_checking.patch, * patches/security/20130618/8008124-better_compliance_testing.patch, * patches/security/20130618/8008128-better_jmx_api_coherence.patch, * patches/security/20130618/8008132-better_serialization.patch, * patches/security/20130618/8008585-jmx_data_handling.patch, * patches/security/20130618/8008593-better_urlclassloader.patch, * patches/security/20130618/8008603-jmx_provider_provision.patch, * patches/security/20130618/8008611-6_fixup.patch, * patches/security/20130618/8008611-jmx_annotations.patch, * patches/security/20130618/8008615-jmx_internal_api_robustness.patch, * patches/security/20130618/8008623-mbeanserver_handling.patch, * patches/security/20130618/8008744-6741606_rework.patch, * patches/security/20130618/8008982-jmx_interface_changes.patch, * patches/security/20130618/8009004-rmi_connection_improvement.patch, * patches/security/20130618/8009013-t2k_glyphs.patch, * patches/security/20130618/8009034-jmx_notification_improvement.patch, * patches/security/20130618/8009038-jmx_notification_support_improvement.patch, * patches/security/20130618/8009067-improve_key_storing.patch, * patches/security/20130618/8009071-improve_shape_handling.patch, * patches/security/20130618/8009235-improve_tsa_data_handling.patch, * patches/security/20130618/8009554-serialjavaobject.patch, * patches/security/20130618/8011243-improve_imaginglib.patch, * patches/security/20130618/8011248-better_component_rasters.patch, * patches/security/20130618/8011253-better_short_component_rasters.patch, * patches/security/20130618/8011257-better_byte_component_rasters.patch, * patches/security/20130618/8011557-improve_reflection.patch, * patches/security/20130618/8012375-javadoc_framing.patch, * patches/security/20130618/8012421-better_positioning.patch, * patches/security/20130618/8012438-better_image_validation.patch, * patches/security/20130618/8012597-better_image_channel_validation.patch, * patches/security/20130618/8012601-better_layout_validation.patch, * patches/security/20130618/8014281-better_xml_signature_checking.patch, * patches/security/20130618/8015997-more_javadoc_framing.patch, * patches/security/20130618/diamond_fix.patch, * patches/security/20130618/handle_npe.patch, * patches/security/20130618/hs_merge-01.patch, * patches/security/20130618/hs_merge-02.patch, * patches/security/20130618/hs_merge-03.patch, * patches/security/20130618/hs_merge-04.patch, * patches/security/20130618/javac_issue.patch, * patches/security/20130618/langtools_generics.patch, * patches/security/20130618/langtools_merge-01.patch, * patches/security/20130618/langtools_merge-02.patch, * patches/security/20130618/langtools_merge-03.patch: 2013/06/18 security patches. * patches/apache-xml-internal-fix-bug-38655.patch: Remove.
author Andrew John Hughes <gnu.andrew@redhat.com>
date Sat, 22 Jun 2013 16:38:24 -0500
parents
children
line wrap: on
line source

# HG changeset patch
# User andrew
# Date 1371237878 -3600
# Node ID f2c674e184e04dcd8e39b6ba6f784c75a3553ef5
# Parent  1226e37bd53ebb2c4fbb9d71dd60ee5e226c9f1b
8001318: Socket.getLocalAddress not consistent with InetAddress.getLocalHost

diff --git a/src/share/classes/java/net/NetUtil.java b/src/share/classes/java/net/NetUtil.java
new file mode 100644
--- /dev/null
+++ openjdk/jdk/src/share/classes/java/net/NetUtil.java
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package java.net;
+
+import java.security.AccessController;
+import java.security.PrivilegedExceptionAction;
+
+class NetUtil {
+
+    // Value of jdk.net.revealLocalAddress
+    private static boolean revealLocalAddress;
+
+    // True if jdk.net.revealLocalAddress had been read
+    private static volatile boolean propRevealLocalAddr;
+
+    /*
+     * Returns true if security check on localAddress is disabled
+     */
+    static boolean doRevealLocalAddress() {
+        return propRevealLocalAddr ? revealLocalAddress
+                                     : readRevealLocalAddr();
+
+    }
+
+    private static boolean readRevealLocalAddr() {
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            try {
+                revealLocalAddress = Boolean.parseBoolean(
+                      AccessController.doPrivileged(
+                          new PrivilegedExceptionAction<String>() {
+                              public String run() {
+                                  return System.getProperty(
+                                      "jdk.net.revealLocalAddress");
+                              }
+                          }));
+
+            } catch (Exception e) {
+                //revealLocalAddress is false
+            }
+            propRevealLocalAddr = true;
+        }
+        /*
+         * No security manager, or security check passed or
+         * jdk.net.revealLocalAddress set to true
+         */
+        return revealLocalAddress;
+    }
+
+}
diff --git a/src/share/classes/java/net/ServerSocket.java b/src/share/classes/java/net/ServerSocket.java
--- openjdk/jdk/src/share/classes/java/net/ServerSocket.java
+++ openjdk/jdk/src/share/classes/java/net/ServerSocket.java
@@ -355,7 +355,15 @@
         if (!isBound())
             return null;
         try {
-            return getImpl().getInetAddress();
+            InetAddress in = getImpl().getInetAddress();
+            if (!NetUtil.doRevealLocalAddress()) {
+                SecurityManager sm = System.getSecurityManager();
+                if (sm != null)
+                    sm.checkConnect(in.getHostAddress(), -1);
+            }
+            return in;
+        } catch (SecurityException e) {
+            return InetAddress.getLoopbackAddress();
         } catch (SocketException e) {
             // nothing
             // If we're bound, the impl has been created
@@ -660,13 +668,20 @@
      *
      * @return  a string representation of this socket.
      */
-    public String toString() {
+   public String toString() {
         if (!isBound())
             return "ServerSocket[unbound]";
-        return "ServerSocket[addr=" + impl.getInetAddress() +
-                ",port=" + impl.getPort() +
+        InetAddress in;
+        if (!NetUtil.doRevealLocalAddress() &&
+                System.getSecurityManager() != null)
+        {
+            in = InetAddress.getLoopbackAddress();
+        } else {
+            in = impl.getInetAddress();
+        }
+        return "ServerSocket[addr=" + in +
                 ",localport=" + impl.getLocalPort()  + "]";
-    }
+   }
 
     void setBound() {
         bound = true;
diff --git a/src/share/classes/java/net/Socket.java b/src/share/classes/java/net/Socket.java
--- openjdk/jdk/src/share/classes/java/net/Socket.java
+++ openjdk/jdk/src/share/classes/java/net/Socket.java
@@ -656,9 +656,17 @@
         InetAddress in = null;
         try {
             in = (InetAddress) getImpl().getOption(SocketOptions.SO_BINDADDR);
+
+            if (!NetUtil.doRevealLocalAddress()) {
+                SecurityManager sm = System.getSecurityManager();
+                if (sm != null)
+                    sm.checkConnect(in.getHostAddress(), -1);
+            }
             if (in.isAnyLocalAddress()) {
                 in = InetAddress.anyLocalAddress();
             }
+        } catch (SecurityException e) {
+            in = InetAddress.getLoopbackAddress();
         } catch (Exception e) {
             in = InetAddress.anyLocalAddress(); // "0.0.0.0"
         }
diff --git a/src/share/classes/java/net/SocksSocketImpl.java b/src/share/classes/java/net/SocksSocketImpl.java
--- openjdk/jdk/src/share/classes/java/net/SocksSocketImpl.java
+++ openjdk/jdk/src/share/classes/java/net/SocksSocketImpl.java
@@ -28,6 +28,7 @@
 import java.io.OutputStream;
 import java.io.BufferedOutputStream;
 import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.security.PrivilegedExceptionAction;
 import java.util.prefs.Preferences;
 import sun.net.www.ParseUtil;
@@ -584,7 +585,13 @@
         /* Test for AnyLocal */
         InetAddress naddr = baddr;
         if (naddr.isAnyLocalAddress()) {
-            naddr = cmdsock.getLocalAddress();
+            naddr = AccessController.doPrivileged(
+                        new PrivilegedAction<InetAddress>() {
+                            public InetAddress run() {
+                                return cmdsock.getLocalAddress();
+
+                            }
+                        });
             addr1 = naddr.getAddress();
         }
         out.write(PROTO_VERS4);
diff --git a/src/share/classes/sun/net/NetworkClient.java b/src/share/classes/sun/net/NetworkClient.java
--- openjdk/jdk/src/share/classes/sun/net/NetworkClient.java
+++ openjdk/jdk/src/share/classes/sun/net/NetworkClient.java
@@ -198,7 +198,13 @@
     protected InetAddress getLocalAddress() throws IOException {
         if (serverSocket == null)
             throw new IOException("not connected");
-        return serverSocket.getLocalAddress();
+        return  AccessController.doPrivileged(
+                        new PrivilegedAction<InetAddress>() {
+                            public InetAddress run() {
+                                return serverSocket.getLocalAddress();
+
+                            }
+                        });
     }
 
     /** Close an open connection to the server. */
diff --git a/src/share/classes/sun/net/httpserver/ServerImpl.java b/src/share/classes/sun/net/httpserver/ServerImpl.java
--- openjdk/jdk/src/share/classes/sun/net/httpserver/ServerImpl.java
+++ openjdk/jdk/src/share/classes/sun/net/httpserver/ServerImpl.java
@@ -30,6 +30,8 @@
 import java.nio.*;
 import java.security.*;
 import java.nio.channels.*;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.*;
 import java.util.concurrent.*;
 import java.util.logging.Logger;
@@ -222,7 +224,14 @@
     }
 
     public InetSocketAddress getAddress() {
-        return (InetSocketAddress)schan.socket().getLocalSocketAddress();
+        return AccessController.doPrivileged(
+                new PrivilegedAction<InetSocketAddress>() {
+                    public InetSocketAddress run() {
+                        return
+                            (InetSocketAddress)schan.socket()
+                                .getLocalSocketAddress();
+                    }
+                });
     }
 
     Selector getSelector () {
diff --git a/src/share/classes/sun/nio/ch/DatagramChannelImpl.java b/src/share/classes/sun/nio/ch/DatagramChannelImpl.java
--- openjdk/jdk/src/share/classes/sun/nio/ch/DatagramChannelImpl.java
+++ openjdk/jdk/src/share/classes/sun/nio/ch/DatagramChannelImpl.java
@@ -83,8 +83,8 @@
     private int state = ST_UNINITIALIZED;
 
     // Binding
-    private SocketAddress localAddress = null;
-    SocketAddress remoteAddress = null;
+    private InetSocketAddress localAddress = null;
+    InetSocketAddress remoteAddress = null;
 
     // Options
     private SocketOpts.IP options = null;
@@ -500,7 +500,7 @@
                 InetSocketAddress isa = (InetSocketAddress)localAddress;
                 sm.checkConnect(isa.getAddress().getHostAddress(), -1);
             }
-            return localAddress;
+            return Net.getRevealedLocalAddress(localAddress);
         }
     }
 
@@ -543,6 +543,7 @@
         }
     }
 
+    @Override
     public DatagramChannel connect(SocketAddress sa) throws IOException {
         int trafficClass = 0;
         int localPort = 0;
@@ -565,7 +566,7 @@
 
                     // Connection succeeded; disallow further invocation
                     state = ST_CONNECTED;
-                    remoteAddress = sa;
+                    remoteAddress = isa;
                     sender = isa;
                     cachedSenderInetAddress = isa.getAddress();
                     cachedSenderPort = isa.getPort();
@@ -581,7 +582,7 @@
                 synchronized (stateLock) {
                     if (!isConnected() || !isOpen())
                         return this;
-                    InetSocketAddress isa = (InetSocketAddress)remoteAddress;
+                    InetSocketAddress isa = remoteAddress;
                     SecurityManager sm = System.getSecurityManager();
                     if (sm != null)
                         sm.checkConnect(isa.getAddress().getHostAddress(),
diff --git a/src/share/classes/sun/nio/ch/Net.java b/src/share/classes/sun/nio/ch/Net.java
--- openjdk/jdk/src/share/classes/sun/nio/ch/Net.java
+++ openjdk/jdk/src/share/classes/sun/nio/ch/Net.java
@@ -36,6 +36,12 @@
     private Net() { }
 
 
+    // Value of jdk.net.revealLocalAddress
+    private static boolean revealLocalAddress;
+
+    // True if jdk.net.revealLocalAddress had been read
+    private static volatile boolean propRevealLocalAddress;
+
     // set to true if exclusive binding is on for Windows
     private static final boolean exclusiveBind;
 
diff --git a/src/share/classes/sun/nio/ch/ServerSocketAdaptor.java b/src/share/classes/sun/nio/ch/ServerSocketAdaptor.java
--- openjdk/jdk/src/share/classes/sun/nio/ch/ServerSocketAdaptor.java
+++ openjdk/jdk/src/share/classes/sun/nio/ch/ServerSocketAdaptor.java
@@ -83,7 +83,8 @@
     public InetAddress getInetAddress() {
         if (!ssc.isBound())
             return null;
-        return Net.asInetSocketAddress(ssc.localAddress()).getAddress();
+        return Net.getRevealedLocalAddress(ssc.localAddress()).getAddress();
+
     }
 
     public int getLocalPort() {
diff --git a/src/share/classes/sun/nio/ch/ServerSocketChannelImpl.java b/src/share/classes/sun/nio/ch/ServerSocketChannelImpl.java
--- openjdk/jdk/src/share/classes/sun/nio/ch/ServerSocketChannelImpl.java
+++ openjdk/jdk/src/share/classes/sun/nio/ch/ServerSocketChannelImpl.java
@@ -75,7 +75,7 @@
     private int state = ST_UNINITIALIZED;
 
     // Binding
-    private SocketAddress localAddress = null; // null => unbound
+    private InetSocketAddress localAddress; // null => unbound
 
     // Options, created on demand
     private SocketOpts.IP.TCP options = null;
@@ -118,9 +118,11 @@
         }
     }
 
-    public SocketAddress localAddress() {
+    public InetSocketAddress localAddress() {
         synchronized (stateLock) {
-            return localAddress;
+            return localAddress == null? localAddress
+                    : Net.getRevealedLocalAddress(
+                          Net.asInetSocketAddress(localAddress));
         }
     }
 
@@ -307,14 +309,15 @@
         StringBuffer sb = new StringBuffer();
         sb.append(this.getClass().getName());
         sb.append('[');
-        if (!isOpen())
+        if (!isOpen()) {
             sb.append("closed");
-        else {
+        } else {
             synchronized (stateLock) {
-                if (localAddress() == null) {
+                InetSocketAddress addr = localAddress();
+                if (addr == null) {
                     sb.append("unbound");
                 } else {
-                    sb.append(localAddress().toString());
+                    sb.append(Net.getRevealedLocalAddressAsString(addr));
                 }
             }
         }
diff --git a/src/share/classes/sun/nio/ch/SocketAdaptor.java b/src/share/classes/sun/nio/ch/SocketAdaptor.java
--- openjdk/jdk/src/share/classes/sun/nio/ch/SocketAdaptor.java
+++ openjdk/jdk/src/share/classes/sun/nio/ch/SocketAdaptor.java
@@ -162,7 +162,7 @@
     public InetAddress getLocalAddress() {
         if (!sc.isBound())
             return new InetSocketAddress(0).getAddress();
-        return Net.asInetSocketAddress(sc.localAddress()).getAddress();
+        return Net.getRevealedLocalAddress(sc.localAddress()).getAddress();
     }
 
     public int getPort() {
diff --git a/src/share/classes/sun/nio/ch/SocketChannelImpl.java b/src/share/classes/sun/nio/ch/SocketChannelImpl.java
--- openjdk/jdk/src/share/classes/sun/nio/ch/SocketChannelImpl.java
+++ openjdk/jdk/src/share/classes/sun/nio/ch/SocketChannelImpl.java
@@ -78,8 +78,8 @@
     private int state = ST_UNINITIALIZED;
 
     // Binding
-    private SocketAddress localAddress = null;
-    private SocketAddress remoteAddress = null;
+    private InetSocketAddress localAddress;
+    private InetSocketAddress remoteAddress;
 
     // Input/Output open
     private boolean isInputOpen = true;
@@ -443,7 +443,7 @@
         }
     }
 
-    public SocketAddress localAddress() {
+    public InetSocketAddress localAddress() {
         synchronized (stateLock) {
             if (state == ST_CONNECTED &&
                 (localAddress == null ||
@@ -452,7 +452,7 @@
                     // Socket was bound with an "anyLocalAddress"
                     localAddress = Net.localAddress(fd);
             }
-            return localAddress;
+            return  Net.getRevealedLocalAddress(localAddress);
         }
     }
 
@@ -830,6 +830,7 @@
         return fdVal;
     }
 
+    @Override
     public String toString() {
         StringBuffer sb = new StringBuffer();
         sb.append(this.getClass().getSuperclass().getName());
@@ -853,9 +854,10 @@
                         sb.append(" oshut");
                     break;
                 }
-                if (localAddress() != null) {
+                InetSocketAddress addr = localAddress();
+                if (addr != null) {
                     sb.append(" local=");
-                    sb.append(localAddress().toString());
+                    sb.append(Net.getRevealedLocalAddressAsString(addr));
                 }
                 if (remoteAddress() != null) {
                     sb.append(" remote=");
diff --git a/src/share/classes/sun/rmi/server/Activation.java b/src/share/classes/sun/rmi/server/Activation.java
--- openjdk/jdk/src/share/classes/sun/rmi/server/Activation.java
+++ openjdk/jdk/src/share/classes/sun/rmi/server/Activation.java
@@ -2202,7 +2202,12 @@
         }
 
         public InetAddress getInetAddress() {
-            return serverSocket.getInetAddress();
+            return AccessController.doPrivileged(
+                new PrivilegedAction<InetAddress>() {
+                    public InetAddress run() {
+                        return serverSocket.getInetAddress();
+                    }
+                });
         }
 
         public int getLocalPort() {
@@ -2210,7 +2215,12 @@
         }
 
         public SocketAddress getLocalSocketAddress() {
-            return serverSocket.getLocalSocketAddress();
+            return AccessController.doPrivileged(
+                new PrivilegedAction<SocketAddress>() {
+                    public SocketAddress run() {
+                        return serverSocket.getLocalSocketAddress();
+                    }
+                });
         }
 
         /**
diff --git a/src/share/classes/sun/rmi/transport/proxy/WrappedSocket.java b/src/share/classes/sun/rmi/transport/proxy/WrappedSocket.java
--- openjdk/jdk/src/share/classes/sun/rmi/transport/proxy/WrappedSocket.java
+++ openjdk/jdk/src/share/classes/sun/rmi/transport/proxy/WrappedSocket.java
@@ -28,6 +28,8 @@
 import java.net.InetAddress;
 import java.net.Socket;
 import java.net.SocketException;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 /**
  * The WrappedSocket class provides a general wrapper for providing an
@@ -78,7 +80,13 @@
      * Get the local address to which the socket is bound.
      */
     public InetAddress getLocalAddress() {
-        return socket.getLocalAddress();
+        return  AccessController.doPrivileged(
+                        new PrivilegedAction<InetAddress>() {
+                            public InetAddress run() {
+                                return socket.getLocalAddress();
+
+                            }
+                        });
     }
 
     /**