Mercurial > hg > release > icedtea6-1.8
view patches/security/20111018/7046823.patch @ 2161:7524f507af5c
Apply latest security patches.
2011-10-17 Andrew John Hughes <ahughes@redhat.com>
* Makefile.am: Add patches.
* NEWS: List security updates.
* patches/icedtea-rhino.patch: Change after 7046823 is applied.
* patches/icedtea-xjc.patch: Update against 7046794.
* patches/security/20111018/7000600.patch,
* patches/security/20111018/7019773.patch,
* patches/security/20111018/7023640.patch,
* patches/security/20111018/7032417.patch,
* patches/security/20111018/7046823.patch,
* patches/security/20111018/7055902.patch,
* patches/security/20111018/7057857.patch,
* patches/security/20111018/7064341.patch,
* patches/security/20111018/7083012.patch,
* patches/security/20111018/7096936.patch,
* patches/security/20111018/7046794.patch,
* patches/security/20111018/7077466.patch:
Add security patches.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Mon, 17 Oct 2011 15:40:23 +0100 |
parents | |
children |
line wrap: on
line source
diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/script/javascript/RhinoScriptEngine.java openjdk/jdk/src/share/classes/com/sun/script/javascript/RhinoScriptEngine.java --- openjdk.orig/jdk/src/share/classes/com/sun/script/javascript/RhinoScriptEngine.java 2010-06-21 22:15:15.000000000 +0100 +++ openjdk/jdk/src/share/classes/com/sun/script/javascript/RhinoScriptEngine.java 2011-10-13 00:09:54.314773784 +0100 @@ -29,6 +29,7 @@ import sun.org.mozilla.javascript.internal.*; import java.lang.reflect.Method; import java.io.*; +import java.security.*; import java.util.*; @@ -45,6 +46,8 @@ private static final boolean DEBUG = false; + private AccessControlContext accCtxt; + /* Scope where standard JavaScript objects and our * extensions to it are stored. Note that these are not * user defined engine level global variables. These are @@ -63,6 +66,10 @@ static { ContextFactory.initGlobal(new ContextFactory() { + /** + * Create new Context instance to be associated with the current thread. + */ + @Override protected Context makeContext() { Context cx = super.makeContext(); cx.setClassShutter(RhinoClassShutter.getInstance()); @@ -70,6 +77,41 @@ return cx; } + + /** + * Execute top call to script or function. When the runtime is about to + * execute a script or function that will create the first stack frame + * with scriptable code, it calls this method to perform the real call. + * In this way execution of any script happens inside this function. + */ + @Override + protected Object doTopCall(final Callable callable, + final Context cx, final Scriptable scope, + final Scriptable thisObj, final Object[] args) { + AccessControlContext accCtxt = null; + Scriptable global = ScriptableObject.getTopLevelScope(scope); + Scriptable globalProto = global.getPrototype(); + if (globalProto instanceof RhinoTopLevel) { + accCtxt = ((RhinoTopLevel)globalProto).getAccessContext(); + } + + if (accCtxt != null) { + return AccessController.doPrivileged(new PrivilegedAction<Object>() { + public Object run() { + return superDoTopCall(callable, cx, scope, thisObj, args); + } + }, accCtxt); + } else { + return superDoTopCall(callable, cx, scope, thisObj, args); + } + } + + private Object superDoTopCall(Callable callable, + Context cx, Scriptable scope, + Scriptable thisObj, Object[] args) { + return super.doTopCall(callable, cx, scope, thisObj, args); + } + public boolean hasFeature(Context cx, int feature) { // we do not support E4X (ECMAScript for XML)! if (feature == Context.FEATURE_E4X) { @@ -87,6 +129,10 @@ */ public RhinoScriptEngine() { + if (System.getSecurityManager() != null) { + accCtxt = AccessController.getContext(); + } + Context cx = enterContext(); try { topLevel = new RhinoTopLevel(cx, this); @@ -314,6 +360,10 @@ factory = fac; } + AccessControlContext getAccessContext() { + return accCtxt; + } + Object[] wrapArguments(Object[] args) { if (args == null) { return Context.emptyArgs; diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/script/javascript/RhinoTopLevel.java openjdk/jdk/src/share/classes/com/sun/script/javascript/RhinoTopLevel.java --- openjdk.orig/jdk/src/share/classes/com/sun/script/javascript/RhinoTopLevel.java 2010-06-21 22:15:15.000000000 +0100 +++ openjdk/jdk/src/share/classes/com/sun/script/javascript/RhinoTopLevel.java 2011-10-13 00:10:22.419234150 +0100 @@ -26,6 +26,7 @@ package com.sun.script.javascript; import sun.org.mozilla.javascript.internal.*; +import java.security.AccessControlContext; import javax.script.*; /** @@ -47,7 +48,10 @@ "var org = Packages.org; \n"; RhinoTopLevel(Context cx, RhinoScriptEngine engine) { - super(cx); + // second boolean parameter to super constructor tells whether + // to seal standard JavaScript objects or not. If security manager + // is present, we seal the standard objects. + super(cx, System.getSecurityManager() != null); this.engine = engine; @@ -164,5 +168,9 @@ return engine; } + AccessControlContext getAccessContext() { + return engine.getAccessContext(); + } + private RhinoScriptEngine engine; }