Mercurial > hg > release > icedtea6-1.12
changeset 2997:460828862a9e
Fix Backport from S6657673.
2013-04-19 Elliott Baron <ebaron@redhat.com>
* Makefile.am:
(ICEDTEA_PATCHES): Add new patch.
* patches/security/20130416/6657673.patch:
Removed {parser,transform}.FactoryFinder hunks.
* patches/security/20130416/6657673-jaxp-backport-factoryfinder.patch:
Backported {parser,transform}.FactoryFinder fixes
from jdk7u-dev changesets: 4a61ac055189 & 38d4d23d167c.
* NEWS: Updated.
| author | Elliott Baron <ebaron@redhat.com> |
|---|---|
| date | Fri, 19 Apr 2013 14:38:19 -0400 |
| parents | b7490b3606ec |
| children | 148faa0f0f08 |
| files | ChangeLog Makefile.am NEWS patches/security/20130416/6657673-jaxp-backport-factoryfinder.patch patches/security/20130416/6657673.patch |
| diffstat | 5 files changed, 316 insertions(+), 51 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Fri Apr 19 11:38:18 2013 +0100 +++ b/ChangeLog Fri Apr 19 14:38:19 2013 -0400 @@ -1,3 +1,14 @@ +2013-04-19 Elliott Baron <ebaron@redhat.com> + + * Makefile.am: + (ICEDTEA_PATCHES): Add new patch. + * patches/security/20130416/6657673.patch: + Removed {parser,transform}.FactoryFinder hunks. + * patches/security/20130416/6657673-jaxp-backport-factoryfinder.patch: + Backported {parser,transform}.FactoryFinder fixes + from jdk7u-dev changesets: 4a61ac055189 & 38d4d23d167c. + * NEWS: Updated. + 2013-04-19 Jiri Vanek <jvanek@redhat.com> * patches/security/20130416/8007667.patch:
--- a/Makefile.am Fri Apr 19 11:38:18 2013 +0100 +++ b/Makefile.am Fri Apr 19 14:38:19 2013 -0400 @@ -301,6 +301,7 @@ patches/openjdk/8004302-soap_test_failure.patch \ patches/security/20130416/6657673.patch \ patches/security/20130416/6657673-fixup.patch \ + patches/security/20130416/6657673-jaxp-backport-factoryfinder.patch \ patches/openjdk/6669869-queries_per_appcontext.patch \ patches/openjdk/5102804-memory_leak.patch \ patches/openjdk/6963811-deadlock_fix.patch \
--- a/NEWS Fri Apr 19 11:38:18 2013 +0100 +++ b/NEWS Fri Apr 19 14:38:19 2013 -0400 @@ -66,6 +66,7 @@ - PR1319: Correct #ifdef to #if - PR1402: Support glibc < 2.17 with AArch64 patch - Give xalan/xerces access to their own internal packages. + - Fix backport from S6657673. New in release 1.12.4 (2013-03-04):
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20130416/6657673-jaxp-backport-factoryfinder.patch Fri Apr 19 14:38:19 2013 -0400 @@ -0,0 +1,303 @@ +diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java openjdk.new/jaxp/openjdk/jaxp/drop_included_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java +--- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-19 12:18:45.225000000 -0400 ++++ openjdk.new/jaxp/openjdk/jaxp/drop_included_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-19 11:53:01.791879226 -0400 +@@ -25,15 +25,12 @@ + + package javax.xml.parsers; + +-import java.io.File; +-import java.io.FileInputStream; +- +-import java.util.Properties; + import java.io.BufferedReader; ++import java.io.File; + import java.io.IOException; + import java.io.InputStream; + import java.io.InputStreamReader; +-import java.net.URL; ++import java.util.Properties; + + /** + * <p>Implements pluggable Datatypes.</p> +@@ -42,9 +39,10 @@ + * sync. It is package private for secure class loading.</p> + * + * @author Santiago.PericasGeertsen@sun.com ++ * @author Huizhe.Wang@oracle.com + */ + class FactoryFinder { +- ++ private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xerces.internal"; + /** + * Internal debug flag. + */ +@@ -95,18 +93,24 @@ + * If the class loader supplied is <code>null</code>, first try using the + * context class loader followed by the current (i.e. bootstrap) class + * loader. ++ * ++ * Use bootstrap classLoader if cl = null and useBSClsLoader is true + */ + static private Class getProviderClass(String className, ClassLoader cl, +- boolean doFallback) throws ClassNotFoundException ++ boolean doFallback, boolean useBSClsLoader) throws ClassNotFoundException + { + try { + if (cl == null) { +- cl = ss.getContextClassLoader(); +- if (cl == null) { +- throw new ClassNotFoundException(); +- } +- else { +- return cl.loadClass(className); ++ if (useBSClsLoader) { ++ return Class.forName(className, true, FactoryFinder.class.getClassLoader()); ++ } else { ++ cl = ss.getContextClassLoader(); ++ if (cl == null) { ++ throw new ClassNotFoundException(); ++ } ++ else { ++ return cl.loadClass(className); ++ } + } + } + else { +@@ -131,8 +135,8 @@ + * @param className Name of the concrete class corresponding to the + * service provider + * +- * @param cl ClassLoader to use to load the class, null means to use +- * the bootstrap ClassLoader ++ * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> ++ * current <code>Thread</code>'s context classLoader is used to load the factory class. + * + * @param doFallback True if the current ClassLoader should be tried as + * a fallback if the class is not found using cl +@@ -140,8 +144,38 @@ + static Object newInstance(String className, ClassLoader cl, boolean doFallback) + throws ConfigurationError + { ++ return newInstance(className, cl, doFallback, false); ++ } ++ ++ /** ++ * Create an instance of a class. Delegates to method ++ * <code>getProviderClass()</code> in order to load the class. ++ * ++ * @param className Name of the concrete class corresponding to the ++ * service provider ++ * ++ * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> ++ * current <code>Thread</code>'s context classLoader is used to load the factory class. ++ * ++ * @param doFallback True if the current ClassLoader should be tried as ++ * a fallback if the class is not found using cl ++ * ++ * @param useBSClsLoader True if cl=null actually meant bootstrap classLoader. This parameter ++ * is needed since DocumentBuilderFactory/SAXParserFactory defined null as context classLoader. ++ */ ++ static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) ++ throws ConfigurationError ++ { ++ // make sure we have access to restricted packages ++ if (System.getSecurityManager() != null) { ++ if (className != null && className.startsWith(DEFAULT_PACKAGE)) { ++ cl = null; ++ useBSClsLoader = true; ++ } ++ } ++ + try { +- Class providerClass = getProviderClass(className, cl, doFallback); ++ Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); + Object instance = providerClass.newInstance(); + if (debug) { // Extra check to avoid computing cl strings + dPrint("created new instance of " + providerClass + +@@ -244,6 +278,7 @@ + + // First try the Context ClassLoader + ClassLoader cl = ss.getContextClassLoader(); ++ boolean useBSClsLoader = false; + if (cl != null) { + is = ss.getResourceAsStream(cl, serviceId); + +@@ -251,11 +286,13 @@ + if (is == null) { + cl = FactoryFinder.class.getClassLoader(); + is = ss.getResourceAsStream(cl, serviceId); ++ useBSClsLoader = true; + } + } else { + // No Context ClassLoader, try the current ClassLoader + cl = FactoryFinder.class.getClassLoader(); + is = ss.getResourceAsStream(cl, serviceId); ++ useBSClsLoader = true; + } + + if (is == null) { +@@ -293,7 +330,7 @@ + // ClassLoader because we want to avoid the case where the + // resource file was found using one ClassLoader and the + // provider class was instantiated using a different one. +- return newInstance(factoryClassName, cl, false); ++ return newInstance(factoryClassName, cl, false, useBSClsLoader); + } + + // No provider found +diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java openjdk.new/jaxp/openjdk/jaxp/drop_included_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java +--- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-19 12:18:45.225000000 -0400 ++++ openjdk.new/jaxp/openjdk/jaxp/drop_included_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-19 12:13:52.618746094 -0400 +@@ -42,8 +42,10 @@ + * sync. It is package private for secure class loading.</p> + * + * @author Santiago.PericasGeertsen@sun.com ++ * @author Huizhe.Wang@oracle.com + */ + class FactoryFinder { ++ private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xalan.internal."; + + /** + * Internal debug flag. +@@ -95,18 +97,24 @@ + * If the class loader supplied is <code>null</code>, first try using the + * context class loader followed by the current (i.e. bootstrap) class + * loader. ++ * ++ * Use bootstrap classLoader if cl = null and useBSClsLoader is true + */ + static private Class getProviderClass(String className, ClassLoader cl, +- boolean doFallback) throws ClassNotFoundException ++ boolean doFallback, boolean useBSClsLoader) throws ClassNotFoundException + { + try { + if (cl == null) { +- cl = ss.getContextClassLoader(); +- if (cl == null) { +- throw new ClassNotFoundException(); +- } +- else { +- return cl.loadClass(className); ++ if (useBSClsLoader) { ++ return Class.forName(className, true, FactoryFinder.class.getClassLoader()); ++ } else { ++ cl = ss.getContextClassLoader(); ++ if (cl == null) { ++ throw new ClassNotFoundException(); ++ } ++ else { ++ return cl.loadClass(className); ++ } + } + } + else { +@@ -131,8 +139,8 @@ + * @param className Name of the concrete class corresponding to the + * service provider + * +- * @param cl ClassLoader to use to load the class, null means to use +- * the bootstrap ClassLoader ++ * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> ++ * current <code>Thread</code>'s context classLoader is used to load the factory class. + * + * @param doFallback True if the current ClassLoader should be tried as + * a fallback if the class is not found using cl +@@ -140,8 +148,38 @@ + static Object newInstance(String className, ClassLoader cl, boolean doFallback) + throws ConfigurationError + { ++ return newInstance(className, cl, doFallback, false); ++ } ++ ++ /** ++ * Create an instance of a class. Delegates to method ++ * <code>getProviderClass()</code> in order to load the class. ++ * ++ * @param className Name of the concrete class corresponding to the ++ * service provider ++ * ++ * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> ++ * current <code>Thread</code>'s context classLoader is used to load the factory class. ++ * ++ * @param doFallback True if the current ClassLoader should be tried as ++ * a fallback if the class is not found using cl ++ * ++ * @param useBSClsLoader True if cl=null actually meant bootstrap classLoader. This parameter ++ * is needed since DocumentBuilderFactory/SAXParserFactory defined null as context classLoader. ++ */ ++ static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) ++ throws ConfigurationError ++ { ++ // make sure we have access to restricted packages ++ if (System.getSecurityManager() != null) { ++ if (className != null && className.startsWith(DEFAULT_PACKAGE)) { ++ cl = null; ++ useBSClsLoader = true; ++ } ++ } ++ + try { +- Class providerClass = getProviderClass(className, cl, doFallback); ++ Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); + Object instance = providerClass.newInstance(); + if (debug) { // Extra check to avoid computing cl strings + dPrint("created new instance of " + providerClass + +@@ -182,7 +220,7 @@ + String systemProp = ss.getSystemProperty(factoryId); + if (systemProp != null) { + dPrint("found system property, value=" + systemProp); +- return newInstance(systemProp, null, true); ++ return newInstance(systemProp, null, true, false); + } + } + catch (SecurityException se) { +@@ -210,7 +248,7 @@ + + if (factoryClassName != null) { + dPrint("found in $java.home/jaxp.properties, value=" + factoryClassName); +- return newInstance(factoryClassName, null, true); ++ return newInstance(factoryClassName, null, true, false); + } + } + catch (Exception ex) { +@@ -228,7 +266,7 @@ + } + + dPrint("loaded from fallback value: " + fallbackClassName); +- return newInstance(fallbackClassName, null, true); ++ return newInstance(fallbackClassName, null, true, false); + } + + /* +@@ -244,6 +282,7 @@ + + // First try the Context ClassLoader + ClassLoader cl = ss.getContextClassLoader(); ++ boolean useBSClsLoader = false; + if (cl != null) { + is = ss.getResourceAsStream(cl, serviceId); + +@@ -251,11 +290,13 @@ + if (is == null) { + cl = FactoryFinder.class.getClassLoader(); + is = ss.getResourceAsStream(cl, serviceId); +- } ++ useBSClsLoader = true; ++ } + } else { + // No Context ClassLoader, try the current ClassLoader + cl = FactoryFinder.class.getClassLoader(); + is = ss.getResourceAsStream(cl, serviceId); ++ useBSClsLoader = true; + } + + if (is == null) { +@@ -293,7 +334,7 @@ + // ClassLoader because we want to avoid the case where the + // resource file was found using one ClassLoader and the + // provider class was instantiated using a different one. +- return newInstance(factoryClassName, cl, false); ++ return newInstance(factoryClassName, cl, false, useBSClsLoader); + } + + // No provider found
--- a/patches/security/20130416/6657673.patch Fri Apr 19 11:38:18 2013 +0100 +++ b/patches/security/20130416/6657673.patch Fri Apr 19 14:38:19 2013 -0400 @@ -8630,32 +8630,6 @@ } // No provider found -diff -Nru openjdk.orig/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java ---- openjdk.orig/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-16 14:28:09.788157518 +0100 -+++ openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-16 14:29:26.569394704 +0100 -@@ -44,7 +44,7 @@ - * @author Santiago.PericasGeertsen@sun.com - */ - class FactoryFinder { -- -+ private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xerces.internal"; - /** - * Internal debug flag. - */ -@@ -140,6 +140,13 @@ - static Object newInstance(String className, ClassLoader cl, boolean doFallback) - throws ConfigurationError - { -+ // make sure we have access to restricted packages -+ if (System.getSecurityManager() != null) { -+ if (className != null && className.startsWith(DEFAULT_PACKAGE)) { -+ cl = null; -+ } -+ } -+ - try { - Class providerClass = getProviderClass(className, cl, doFallback); - Object instance = providerClass.newInstance(); diff -Nru openjdk.orig/jaxp/drop_included/jaxp_src/src/javax/xml/stream/FactoryFinder.java openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/stream/FactoryFinder.java --- openjdk.orig/jaxp/drop_included/jaxp_src/src/javax/xml/stream/FactoryFinder.java 2013-04-16 14:28:09.788157518 +0100 +++ openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/stream/FactoryFinder.java 2013-04-16 14:29:26.569394704 +0100 @@ -8815,31 +8789,6 @@ } // No provider found -diff -Nru openjdk.orig/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java ---- openjdk.orig/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-16 14:28:09.792157582 +0100 -+++ openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-16 14:29:26.569394704 +0100 -@@ -44,6 +44,7 @@ - * @author Santiago.PericasGeertsen@sun.com - */ - class FactoryFinder { -+ private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xalan.internal."; - - /** - * Internal debug flag. -@@ -140,6 +141,13 @@ - static Object newInstance(String className, ClassLoader cl, boolean doFallback) - throws ConfigurationError - { -+ // make sure we have access to restricted packages -+ if (System.getSecurityManager() != null) { -+ if (className != null && className.startsWith(DEFAULT_PACKAGE)) { -+ cl = null; -+ } -+ } -+ - try { - Class providerClass = getProviderClass(className, cl, doFallback); - Object instance = providerClass.newInstance(); diff -Nru openjdk.orig/jaxp/drop_included/jaxp_src/src/javax/xml/validation/SchemaFactoryFinder.java openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/validation/SchemaFactoryFinder.java --- openjdk.orig/jaxp/drop_included/jaxp_src/src/javax/xml/validation/SchemaFactoryFinder.java 2013-04-16 14:28:09.800157711 +0100 +++ openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/validation/SchemaFactoryFinder.java 2013-04-16 14:29:26.569394704 +0100