Mercurial > hg > release > icedtea6-1.12
changeset 2999:f12754deed53
Cleanup from previous commit.
2013-04-24 Andrew John Hughes <gnu.andrew@redhat.com>
* Makefile.am:
(ICEDTEA_PATCHES): Rename patches.
* NEWS: List backports in previous change
correctly.
* patches/openjdk/7133220-factory-finder-parser-transform-useBSClassLoader.patch:
Moved to...
* patches/openjdk/7133220-factory_finder_parser_transform_useBSClassLoader.patch:
...this.
* patches/openjdk/6657673-factory-finder-parser-transform-internal-packages.patch:
Moved to..
* patches/security/20130416/6657673-factory_finder.patch:
...this.
author | Andrew John Hughes <gnu.andrew@redhat.com> |
---|---|
date | Wed, 24 Apr 2013 09:21:10 +0100 |
parents | 148faa0f0f08 |
children | 681bcc5e6a18 |
files | ChangeLog Makefile.am NEWS patches/openjdk/6657673-factory-finder-parser-transform-internal-packages.patch patches/openjdk/7133220-factory-finder-parser-transform-useBSClassLoader.patch patches/openjdk/7133220-factory_finder_parser_transform_useBSClassLoader.patch patches/security/20130416/6657673-factory_finder.patch |
diffstat | 7 files changed, 370 insertions(+), 355 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Mon Apr 22 17:13:26 2013 -0400 +++ b/ChangeLog Wed Apr 24 09:21:10 2013 +0100 @@ -1,3 +1,18 @@ +2013-04-24 Andrew John Hughes <gnu.andrew@redhat.com> + + * Makefile.am: + (ICEDTEA_PATCHES): Rename patches. + * NEWS: List backports in previous change + correctly. + * patches/openjdk/7133220-factory-finder-parser-transform-useBSClassLoader.patch: + Moved to... + * patches/openjdk/7133220-factory_finder_parser_transform_useBSClassLoader.patch: + ...this. + * patches/openjdk/6657673-factory-finder-parser-transform-internal-packages.patch: + Moved to.. + * patches/security/20130416/6657673-factory_finder.patch: + ...this. + 2013-04-22 Elliott Baron <ebaron@redhat.com> * Makefile.am:
--- a/Makefile.am Mon Apr 22 17:13:26 2013 -0400 +++ b/Makefile.am Wed Apr 24 09:21:10 2013 +0100 @@ -301,8 +301,8 @@ patches/openjdk/8004302-soap_test_failure.patch \ patches/security/20130416/6657673.patch \ patches/security/20130416/6657673-fixup.patch \ - patches/openjdk/7133220-factory-finder-parser-transform-useBSClassLoader.patch \ - patches/openjdk/6657673-factory-finder-parser-transform-internal-packages.patch \ + patches/openjdk/7133220-factory_finder_parser_transform_useBSClassLoader.patch \ + patches/security/20130416/6657673-factory_finder.patch \ patches/openjdk/6669869-queries_per_appcontext.patch \ patches/openjdk/5102804-memory_leak.patch \ patches/openjdk/6963811-deadlock_fix.patch \
--- a/NEWS Mon Apr 22 17:13:26 2013 -0400 +++ b/NEWS Wed Apr 24 09:21:10 2013 +0100 @@ -57,6 +57,7 @@ - S7017324: Kerning crash in JDK 7 since ICU layout update - S7064279: Introspector.getBeanInfo() should release some resources in timely manner - S8004302: javax/xml/soap/Test7013971.java fails since jdk6u39b01 + - S7133220: Additional patches to JAXP 1.4.5 update 1 for 7u4 (partial for S6657673) * Bug fixes - OJ3: Fix get_stack_bounds memory leak (alternate fix for S7197906) - PR1362: Fedora 19 / rawhide FTBFS SIGILL @@ -66,7 +67,6 @@ - PR1319: Correct #ifdef to #if - PR1402: Support glibc < 2.17 with AArch64 patch - Give xalan/xerces access to their own internal packages. - - Fix backport from S6657673. New in release 1.12.4 (2013-03-04):
--- a/patches/openjdk/6657673-factory-finder-parser-transform-internal-packages.patch Mon Apr 22 17:13:26 2013 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,54 +0,0 @@ -diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java ---- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-22 12:42:32.138748378 -0400 -+++ openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-22 12:41:36.033419998 -0400 -@@ -44,7 +44,7 @@ - * @author Santiago.PericasGeertsen@sun.com - */ - class FactoryFinder { -- -+ private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xerces.internal"; - /** - * Internal debug flag. - */ -@@ -140,6 +140,14 @@ - static Object newInstance(String className, ClassLoader cl, boolean doFallback) - throws ConfigurationError - { -+ // make sure we have access to restricted packages -+ if (System.getSecurityManager() != null) { -+ if (className != null && className.startsWith(DEFAULT_PACKAGE)) { -+ cl = null; -+ useBSClsLoader = true; -+ } -+ } -+ - try { - Class providerClass = getProviderClass(className, cl, doFallback); - Object instance = providerClass.newInstance(); -Only in openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers: FactoryFinder.java.orig -diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java ---- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-22 12:42:32.230748906 -0400 -+++ openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-22 12:41:41.268451218 -0400 -@@ -44,6 +44,7 @@ - * @author Santiago.PericasGeertsen@sun.com - */ - class FactoryFinder { -+ private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xalan.internal."; - - /** - * Internal debug flag. -@@ -140,6 +141,14 @@ - static Object newInstance(String className, ClassLoader cl, boolean doFallback) - throws ConfigurationError - { -+ // make sure we have access to restricted packages -+ if (System.getSecurityManager() != null) { -+ if (className != null && className.startsWith(DEFAULT_PACKAGE)) { -+ cl = null; -+ useBSClsLoader = true; -+ } -+ } -+ - try { - Class providerClass = getProviderClass(className, cl, doFallback); - Object instance = providerClass.newInstance();
--- a/patches/openjdk/7133220-factory-finder-parser-transform-useBSClassLoader.patch Mon Apr 22 17:13:26 2013 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,298 +0,0 @@ -diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java ---- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-22 12:37:39.305820912 -0400 -+++ openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-22 12:28:52.947388255 -0400 -@@ -25,15 +25,12 @@ - - package javax.xml.parsers; - --import java.io.File; --import java.io.FileInputStream; -- --import java.util.Properties; - import java.io.BufferedReader; -+import java.io.File; - import java.io.IOException; - import java.io.InputStream; - import java.io.InputStreamReader; --import java.net.URL; -+import java.util.Properties; - - /** - * <p>Implements pluggable Datatypes.</p> -@@ -42,6 +39,7 @@ - * sync. It is package private for secure class loading.</p> - * - * @author Santiago.PericasGeertsen@sun.com -+ * @author Huizhe.Wang@oracle.com - */ - class FactoryFinder { - -@@ -95,18 +93,24 @@ - * If the class loader supplied is <code>null</code>, first try using the - * context class loader followed by the current (i.e. bootstrap) class - * loader. -+ * -+ * Use bootstrap classLoader if cl = null and useBSClsLoader is true - */ - static private Class getProviderClass(String className, ClassLoader cl, -- boolean doFallback) throws ClassNotFoundException -+ boolean doFallback, boolean useBSClsLoader) throws ClassNotFoundException - { - try { - if (cl == null) { -- cl = ss.getContextClassLoader(); -- if (cl == null) { -- throw new ClassNotFoundException(); -- } -- else { -- return cl.loadClass(className); -+ if (useBSClsLoader) { -+ return Class.forName(className, true, FactoryFinder.class.getClassLoader()); -+ } else { -+ cl = ss.getContextClassLoader(); -+ if (cl == null) { -+ throw new ClassNotFoundException(); -+ } -+ else { -+ return cl.loadClass(className); -+ } - } - } - else { -@@ -131,8 +135,8 @@ - * @param className Name of the concrete class corresponding to the - * service provider - * -- * @param cl ClassLoader to use to load the class, null means to use -- * the bootstrap ClassLoader -+ * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> -+ * current <code>Thread</code>'s context classLoader is used to load the factory class. - * - * @param doFallback True if the current ClassLoader should be tried as - * a fallback if the class is not found using cl -@@ -140,8 +144,30 @@ - static Object newInstance(String className, ClassLoader cl, boolean doFallback) - throws ConfigurationError - { -+ return newInstance(className, cl, doFallback, false); -+ } -+ -+ /** -+ * Create an instance of a class. Delegates to method -+ * <code>getProviderClass()</code> in order to load the class. -+ * -+ * @param className Name of the concrete class corresponding to the -+ * service provider -+ * -+ * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> -+ * current <code>Thread</code>'s context classLoader is used to load the factory class. -+ * -+ * @param doFallback True if the current ClassLoader should be tried as -+ * a fallback if the class is not found using cl -+ * -+ * @param useBSClsLoader True if cl=null actually meant bootstrap classLoader. This parameter -+ * is needed since DocumentBuilderFactory/SAXParserFactory defined null as context classLoader. -+ */ -+ static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) -+ throws ConfigurationError -+ { - try { -- Class providerClass = getProviderClass(className, cl, doFallback); -+ Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); - Object instance = providerClass.newInstance(); - if (debug) { // Extra check to avoid computing cl strings - dPrint("created new instance of " + providerClass + -@@ -244,6 +270,7 @@ - - // First try the Context ClassLoader - ClassLoader cl = ss.getContextClassLoader(); -+ boolean useBSClsLoader = false; - if (cl != null) { - is = ss.getResourceAsStream(cl, serviceId); - -@@ -251,11 +278,13 @@ - if (is == null) { - cl = FactoryFinder.class.getClassLoader(); - is = ss.getResourceAsStream(cl, serviceId); -+ useBSClsLoader = true; - } - } else { - // No Context ClassLoader, try the current ClassLoader - cl = FactoryFinder.class.getClassLoader(); - is = ss.getResourceAsStream(cl, serviceId); -+ useBSClsLoader = true; - } - - if (is == null) { -@@ -293,7 +322,7 @@ - // ClassLoader because we want to avoid the case where the - // resource file was found using one ClassLoader and the - // provider class was instantiated using a different one. -- return newInstance(factoryClassName, cl, false); -+ return newInstance(factoryClassName, cl, false, useBSClsLoader); - } - - // No provider found -diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java ---- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-22 12:37:39.312820966 -0400 -+++ openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-22 12:35:08.715478293 -0400 -@@ -25,15 +25,12 @@ - - package javax.xml.transform; - --import java.io.File; --import java.io.FileInputStream; -- --import java.util.Properties; - import java.io.BufferedReader; -+import java.io.File; - import java.io.IOException; - import java.io.InputStream; - import java.io.InputStreamReader; --import java.net.URL; -+import java.util.Properties; - - /** - * <p>Implements pluggable Datatypes.</p> -@@ -42,6 +39,7 @@ - * sync. It is package private for secure class loading.</p> - * - * @author Santiago.PericasGeertsen@sun.com -+ * @author Huizhe.Wang@oracle.com - */ - class FactoryFinder { - -@@ -95,18 +93,24 @@ - * If the class loader supplied is <code>null</code>, first try using the - * context class loader followed by the current (i.e. bootstrap) class - * loader. -+ * -+ * Use bootstrap classLoader if cl = null and useBSClsLoader is true - */ - static private Class getProviderClass(String className, ClassLoader cl, -- boolean doFallback) throws ClassNotFoundException -+ boolean doFallback, boolean useBSClsLoader) throws ClassNotFoundException - { - try { - if (cl == null) { -- cl = ss.getContextClassLoader(); -- if (cl == null) { -- throw new ClassNotFoundException(); -- } -- else { -- return cl.loadClass(className); -+ if (useBSClsLoader) { -+ return Class.forName(className, true, FactoryFinder.class.getClassLoader()); -+ } else { -+ cl = ss.getContextClassLoader(); -+ if (cl == null) { -+ throw new ClassNotFoundException(); -+ } -+ else { -+ return cl.loadClass(className); -+ } - } - } - else { -@@ -131,8 +135,8 @@ - * @param className Name of the concrete class corresponding to the - * service provider - * -- * @param cl ClassLoader to use to load the class, null means to use -- * the bootstrap ClassLoader -+ * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> -+ * current <code>Thread</code>'s context classLoader is used to load the factory class. - * - * @param doFallback True if the current ClassLoader should be tried as - * a fallback if the class is not found using cl -@@ -140,8 +144,30 @@ - static Object newInstance(String className, ClassLoader cl, boolean doFallback) - throws ConfigurationError - { -+ return newInstance(className, cl, doFallback, false); -+ } -+ -+ /** -+ * Create an instance of a class. Delegates to method -+ * <code>getProviderClass()</code> in order to load the class. -+ * -+ * @param className Name of the concrete class corresponding to the -+ * service provider -+ * -+ * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> -+ * current <code>Thread</code>'s context classLoader is used to load the factory class. -+ * -+ * @param doFallback True if the current ClassLoader should be tried as -+ * a fallback if the class is not found using cl -+ * -+ * @param useBSClsLoader True if cl=null actually meant bootstrap classLoader. This parameter -+ * is needed since DocumentBuilderFactory/SAXParserFactory defined null as context classLoader. -+ */ -+ static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) -+ throws ConfigurationError -+ { - try { -- Class providerClass = getProviderClass(className, cl, doFallback); -+ Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); - Object instance = providerClass.newInstance(); - if (debug) { // Extra check to avoid computing cl strings - dPrint("created new instance of " + providerClass + -@@ -182,7 +208,7 @@ - String systemProp = ss.getSystemProperty(factoryId); - if (systemProp != null) { - dPrint("found system property, value=" + systemProp); -- return newInstance(systemProp, null, true); -+ return newInstance(systemProp, null, true, false); - } - } - catch (SecurityException se) { -@@ -210,7 +236,7 @@ - - if (factoryClassName != null) { - dPrint("found in $java.home/jaxp.properties, value=" + factoryClassName); -- return newInstance(factoryClassName, null, true); -+ return newInstance(factoryClassName, null, true, false); - } - } - catch (Exception ex) { -@@ -228,7 +254,7 @@ - } - - dPrint("loaded from fallback value: " + fallbackClassName); -- return newInstance(fallbackClassName, null, true); -+ return newInstance(fallbackClassName, null, true, false); - } - - /* -@@ -244,6 +270,7 @@ - - // First try the Context ClassLoader - ClassLoader cl = ss.getContextClassLoader(); -+ boolean useBSClsLoader = false; - if (cl != null) { - is = ss.getResourceAsStream(cl, serviceId); - -@@ -251,11 +278,13 @@ - if (is == null) { - cl = FactoryFinder.class.getClassLoader(); - is = ss.getResourceAsStream(cl, serviceId); -- } -+ useBSClsLoader = true; -+ } - } else { - // No Context ClassLoader, try the current ClassLoader - cl = FactoryFinder.class.getClassLoader(); - is = ss.getResourceAsStream(cl, serviceId); -+ useBSClsLoader = true; - } - - if (is == null) { -@@ -293,7 +322,7 @@ - // ClassLoader because we want to avoid the case where the - // resource file was found using one ClassLoader and the - // provider class was instantiated using a different one. -- return newInstance(factoryClassName, cl, false); -+ return newInstance(factoryClassName, cl, false, useBSClsLoader); - } - - // No provider found
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/openjdk/7133220-factory_finder_parser_transform_useBSClassLoader.patch Wed Apr 24 09:21:10 2013 +0100 @@ -0,0 +1,298 @@ +diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java +--- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-22 12:37:39.305820912 -0400 ++++ openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-22 12:28:52.947388255 -0400 +@@ -25,15 +25,12 @@ + + package javax.xml.parsers; + +-import java.io.File; +-import java.io.FileInputStream; +- +-import java.util.Properties; + import java.io.BufferedReader; ++import java.io.File; + import java.io.IOException; + import java.io.InputStream; + import java.io.InputStreamReader; +-import java.net.URL; ++import java.util.Properties; + + /** + * <p>Implements pluggable Datatypes.</p> +@@ -42,6 +39,7 @@ + * sync. It is package private for secure class loading.</p> + * + * @author Santiago.PericasGeertsen@sun.com ++ * @author Huizhe.Wang@oracle.com + */ + class FactoryFinder { + +@@ -95,18 +93,24 @@ + * If the class loader supplied is <code>null</code>, first try using the + * context class loader followed by the current (i.e. bootstrap) class + * loader. ++ * ++ * Use bootstrap classLoader if cl = null and useBSClsLoader is true + */ + static private Class getProviderClass(String className, ClassLoader cl, +- boolean doFallback) throws ClassNotFoundException ++ boolean doFallback, boolean useBSClsLoader) throws ClassNotFoundException + { + try { + if (cl == null) { +- cl = ss.getContextClassLoader(); +- if (cl == null) { +- throw new ClassNotFoundException(); +- } +- else { +- return cl.loadClass(className); ++ if (useBSClsLoader) { ++ return Class.forName(className, true, FactoryFinder.class.getClassLoader()); ++ } else { ++ cl = ss.getContextClassLoader(); ++ if (cl == null) { ++ throw new ClassNotFoundException(); ++ } ++ else { ++ return cl.loadClass(className); ++ } + } + } + else { +@@ -131,8 +135,8 @@ + * @param className Name of the concrete class corresponding to the + * service provider + * +- * @param cl ClassLoader to use to load the class, null means to use +- * the bootstrap ClassLoader ++ * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> ++ * current <code>Thread</code>'s context classLoader is used to load the factory class. + * + * @param doFallback True if the current ClassLoader should be tried as + * a fallback if the class is not found using cl +@@ -140,8 +144,30 @@ + static Object newInstance(String className, ClassLoader cl, boolean doFallback) + throws ConfigurationError + { ++ return newInstance(className, cl, doFallback, false); ++ } ++ ++ /** ++ * Create an instance of a class. Delegates to method ++ * <code>getProviderClass()</code> in order to load the class. ++ * ++ * @param className Name of the concrete class corresponding to the ++ * service provider ++ * ++ * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> ++ * current <code>Thread</code>'s context classLoader is used to load the factory class. ++ * ++ * @param doFallback True if the current ClassLoader should be tried as ++ * a fallback if the class is not found using cl ++ * ++ * @param useBSClsLoader True if cl=null actually meant bootstrap classLoader. This parameter ++ * is needed since DocumentBuilderFactory/SAXParserFactory defined null as context classLoader. ++ */ ++ static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) ++ throws ConfigurationError ++ { + try { +- Class providerClass = getProviderClass(className, cl, doFallback); ++ Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); + Object instance = providerClass.newInstance(); + if (debug) { // Extra check to avoid computing cl strings + dPrint("created new instance of " + providerClass + +@@ -244,6 +270,7 @@ + + // First try the Context ClassLoader + ClassLoader cl = ss.getContextClassLoader(); ++ boolean useBSClsLoader = false; + if (cl != null) { + is = ss.getResourceAsStream(cl, serviceId); + +@@ -251,11 +278,13 @@ + if (is == null) { + cl = FactoryFinder.class.getClassLoader(); + is = ss.getResourceAsStream(cl, serviceId); ++ useBSClsLoader = true; + } + } else { + // No Context ClassLoader, try the current ClassLoader + cl = FactoryFinder.class.getClassLoader(); + is = ss.getResourceAsStream(cl, serviceId); ++ useBSClsLoader = true; + } + + if (is == null) { +@@ -293,7 +322,7 @@ + // ClassLoader because we want to avoid the case where the + // resource file was found using one ClassLoader and the + // provider class was instantiated using a different one. +- return newInstance(factoryClassName, cl, false); ++ return newInstance(factoryClassName, cl, false, useBSClsLoader); + } + + // No provider found +diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java +--- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-22 12:37:39.312820966 -0400 ++++ openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-22 12:35:08.715478293 -0400 +@@ -25,15 +25,12 @@ + + package javax.xml.transform; + +-import java.io.File; +-import java.io.FileInputStream; +- +-import java.util.Properties; + import java.io.BufferedReader; ++import java.io.File; + import java.io.IOException; + import java.io.InputStream; + import java.io.InputStreamReader; +-import java.net.URL; ++import java.util.Properties; + + /** + * <p>Implements pluggable Datatypes.</p> +@@ -42,6 +39,7 @@ + * sync. It is package private for secure class loading.</p> + * + * @author Santiago.PericasGeertsen@sun.com ++ * @author Huizhe.Wang@oracle.com + */ + class FactoryFinder { + +@@ -95,18 +93,24 @@ + * If the class loader supplied is <code>null</code>, first try using the + * context class loader followed by the current (i.e. bootstrap) class + * loader. ++ * ++ * Use bootstrap classLoader if cl = null and useBSClsLoader is true + */ + static private Class getProviderClass(String className, ClassLoader cl, +- boolean doFallback) throws ClassNotFoundException ++ boolean doFallback, boolean useBSClsLoader) throws ClassNotFoundException + { + try { + if (cl == null) { +- cl = ss.getContextClassLoader(); +- if (cl == null) { +- throw new ClassNotFoundException(); +- } +- else { +- return cl.loadClass(className); ++ if (useBSClsLoader) { ++ return Class.forName(className, true, FactoryFinder.class.getClassLoader()); ++ } else { ++ cl = ss.getContextClassLoader(); ++ if (cl == null) { ++ throw new ClassNotFoundException(); ++ } ++ else { ++ return cl.loadClass(className); ++ } + } + } + else { +@@ -131,8 +135,8 @@ + * @param className Name of the concrete class corresponding to the + * service provider + * +- * @param cl ClassLoader to use to load the class, null means to use +- * the bootstrap ClassLoader ++ * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> ++ * current <code>Thread</code>'s context classLoader is used to load the factory class. + * + * @param doFallback True if the current ClassLoader should be tried as + * a fallback if the class is not found using cl +@@ -140,8 +144,30 @@ + static Object newInstance(String className, ClassLoader cl, boolean doFallback) + throws ConfigurationError + { ++ return newInstance(className, cl, doFallback, false); ++ } ++ ++ /** ++ * Create an instance of a class. Delegates to method ++ * <code>getProviderClass()</code> in order to load the class. ++ * ++ * @param className Name of the concrete class corresponding to the ++ * service provider ++ * ++ * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> ++ * current <code>Thread</code>'s context classLoader is used to load the factory class. ++ * ++ * @param doFallback True if the current ClassLoader should be tried as ++ * a fallback if the class is not found using cl ++ * ++ * @param useBSClsLoader True if cl=null actually meant bootstrap classLoader. This parameter ++ * is needed since DocumentBuilderFactory/SAXParserFactory defined null as context classLoader. ++ */ ++ static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) ++ throws ConfigurationError ++ { + try { +- Class providerClass = getProviderClass(className, cl, doFallback); ++ Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); + Object instance = providerClass.newInstance(); + if (debug) { // Extra check to avoid computing cl strings + dPrint("created new instance of " + providerClass + +@@ -182,7 +208,7 @@ + String systemProp = ss.getSystemProperty(factoryId); + if (systemProp != null) { + dPrint("found system property, value=" + systemProp); +- return newInstance(systemProp, null, true); ++ return newInstance(systemProp, null, true, false); + } + } + catch (SecurityException se) { +@@ -210,7 +236,7 @@ + + if (factoryClassName != null) { + dPrint("found in $java.home/jaxp.properties, value=" + factoryClassName); +- return newInstance(factoryClassName, null, true); ++ return newInstance(factoryClassName, null, true, false); + } + } + catch (Exception ex) { +@@ -228,7 +254,7 @@ + } + + dPrint("loaded from fallback value: " + fallbackClassName); +- return newInstance(fallbackClassName, null, true); ++ return newInstance(fallbackClassName, null, true, false); + } + + /* +@@ -244,6 +270,7 @@ + + // First try the Context ClassLoader + ClassLoader cl = ss.getContextClassLoader(); ++ boolean useBSClsLoader = false; + if (cl != null) { + is = ss.getResourceAsStream(cl, serviceId); + +@@ -251,11 +278,13 @@ + if (is == null) { + cl = FactoryFinder.class.getClassLoader(); + is = ss.getResourceAsStream(cl, serviceId); +- } ++ useBSClsLoader = true; ++ } + } else { + // No Context ClassLoader, try the current ClassLoader + cl = FactoryFinder.class.getClassLoader(); + is = ss.getResourceAsStream(cl, serviceId); ++ useBSClsLoader = true; + } + + if (is == null) { +@@ -293,7 +322,7 @@ + // ClassLoader because we want to avoid the case where the + // resource file was found using one ClassLoader and the + // provider class was instantiated using a different one. +- return newInstance(factoryClassName, cl, false); ++ return newInstance(factoryClassName, cl, false, useBSClsLoader); + } + + // No provider found
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20130416/6657673-factory_finder.patch Wed Apr 24 09:21:10 2013 +0100 @@ -0,0 +1,54 @@ +diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java +--- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-22 12:42:32.138748378 -0400 ++++ openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-22 12:41:36.033419998 -0400 +@@ -44,7 +44,7 @@ + * @author Santiago.PericasGeertsen@sun.com + */ + class FactoryFinder { +- ++ private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xerces.internal"; + /** + * Internal debug flag. + */ +@@ -140,6 +140,14 @@ + static Object newInstance(String className, ClassLoader cl, boolean doFallback) + throws ConfigurationError + { ++ // make sure we have access to restricted packages ++ if (System.getSecurityManager() != null) { ++ if (className != null && className.startsWith(DEFAULT_PACKAGE)) { ++ cl = null; ++ useBSClsLoader = true; ++ } ++ } ++ + try { + Class providerClass = getProviderClass(className, cl, doFallback); + Object instance = providerClass.newInstance(); +Only in openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers: FactoryFinder.java.orig +diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java +--- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-22 12:42:32.230748906 -0400 ++++ openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-22 12:41:41.268451218 -0400 +@@ -44,6 +44,7 @@ + * @author Santiago.PericasGeertsen@sun.com + */ + class FactoryFinder { ++ private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xalan.internal."; + + /** + * Internal debug flag. +@@ -140,6 +141,14 @@ + static Object newInstance(String className, ClassLoader cl, boolean doFallback) + throws ConfigurationError + { ++ // make sure we have access to restricted packages ++ if (System.getSecurityManager() != null) { ++ if (className != null && className.startsWith(DEFAULT_PACKAGE)) { ++ cl = null; ++ useBSClsLoader = true; ++ } ++ } ++ + try { + Class providerClass = getProviderClass(className, cl, doFallback); + Object instance = providerClass.newInstance();