Mercurial > hg > release > icedtea6-1.7
view patches/security/20101012/6622002.patch @ 1993:1cdd796efef3
Second batch of security updates.
2010-10-11 Andrew John Hughes <ahughes@redhat.com>
* patches/icedtea-timerqueue.patch:
Dropped; superceded by 6623943.
* Makefile.am: Add new security patches.
* NEWS: List new security patches.
* patches/security/20101012/6622002.patch,
* patches/security/20101012/6623943.patch,
* patches/security/20101012/6952017.patch,
* patches/security/20101012/6952603.patch,
* patches/security/20101012/6961084.patch,
* patches/security/20101012/6963285.patch,
* patches/security/20101012/6981426.patch,
* patches/security/20101012/6990437.patch:
Added.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Mon, 11 Oct 2010 21:52:05 +0100 |
parents | |
children |
line wrap: on
line source
# HG changeset patch # User alexp # Date 1285685944 -14400 # Node ID bb1c74cae929a5903c0aca64b9e5a7f67726b02a # Parent 1eaaf0f77762dfa6120921f1d2d6ce96e7086513 6622002: UIDefault.ProxyLazyValue has unsafe reflection usage Reviewed-by: malenkov diff --git a/src/share/classes/javax/swing/UIDefaults.java b/src/share/classes/javax/swing/UIDefaults.java --- openjdk.orig/jdk/src/share/classes/javax/swing/UIDefaults.java +++ openjdk/jdk/src/share/classes/javax/swing/UIDefaults.java @@ -52,6 +52,7 @@ import java.security.PrivilegedAction; import java.security.PrivilegedAction; import sun.reflect.misc.MethodUtil; +import sun.reflect.misc.ReflectUtil; import sun.util.CoreResourceBundleControl; /** @@ -1079,6 +1080,9 @@ public class UIDefaults extends Hashtabl // In order to pick up the security policy in effect at the // time of creation we use a doPrivileged with the // AccessControlContext that was in place when this was created. + if (acc == null && System.getSecurityManager() != null) { + throw new SecurityException("null AccessControlContext"); + } return AccessController.doPrivileged(new PrivilegedAction() { public Object run() { try { @@ -1094,7 +1098,9 @@ public class UIDefaults extends Hashtabl cl = ClassLoader.getSystemClassLoader(); } } + ReflectUtil.checkPackageAccess(className); c = Class.forName(className, true, (ClassLoader)cl); + checkAccess(c.getModifiers()); if (methodName != null) { Class[] types = getClassArray(args); Method m = c.getMethod(methodName, types); @@ -1102,6 +1108,7 @@ public class UIDefaults extends Hashtabl } else { Class[] types = getClassArray(args); Constructor constructor = c.getConstructor(types); + checkAccess(constructor.getModifiers()); return constructor.newInstance(args); } } catch(Exception e) { @@ -1115,8 +1122,15 @@ public class UIDefaults extends Hashtabl } }, acc); } + + private void checkAccess(int modifiers) { + if(System.getSecurityManager() != null && + !Modifier.isPublic(modifiers)) { + throw new SecurityException("Resource is not accessible"); + } + } - /* + /* * Coerce the array of class types provided into one which * looks the way the Reflection APIs expect. This is done * by substituting primitive types for their Object counterparts,