Mercurial > hg > release > icedtea6-1.9

view patches/security/20111018/7046823.patch @ 2352:941103576384

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add first batch of security patches. S7000600, CVE-2011-3547: InputStream skip() information leak S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine S7055902, CVE-2011-3521: IIOP deserialization code execution S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks S7064341, CVE-2011-3389: JSSE S7070134, CVE-2011-3558: Hotspot unspecified issue S7077466, CVE-2011-3556: RMI DGC server remote code execution S7083012, CVE-2011-3557: RMI registry privileged code execution S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection 2011-10-13 Andrew John Hughes <ahughes@redhat.com> * Makefile.am: Add patches. * NEWS: List security updates. * patches/icedtea-rhino.patch: Change after 7046823 is applied. * patches/security/20111018/7000600.patch, * patches/security/20111018/7019773.patch, * patches/security/20111018/7023640.patch, * patches/security/20111018/7032417.patch, * patches/security/20111018/7046823.patch, * patches/security/20111018/7055902.patch, * patches/security/20111018/7057857.patch, * patches/security/20111018/7064341.patch, * patches/security/20111018/7070134.patch, * patches/security/20111018/7083012.patch, * patches/security/20111018/7096936.patch: First batch of security patches.
author Andrew John Hughes <ahughes@redhat.com>
date Thu, 13 Oct 2011 15:04:46 +0100
parents
children
line wrap: on
line source

diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/script/javascript/RhinoScriptEngine.java openjdk/jdk/src/share/classes/com/sun/script/javascript/RhinoScriptEngine.java
--- openjdk.orig/jdk/src/share/classes/com/sun/script/javascript/RhinoScriptEngine.java	2010-06-21 22:15:15.000000000 +0100
+++ openjdk/jdk/src/share/classes/com/sun/script/javascript/RhinoScriptEngine.java	2011-10-13 00:09:54.314773784 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@
 import sun.org.mozilla.javascript.internal.*;
 import java.lang.reflect.Method;
 import java.io.*;
+import java.security.*;
 import java.util.*;
 
 
@@ -45,6 +46,8 @@
 
     private static final boolean DEBUG = false;
 
+    private AccessControlContext accCtxt;
+
     /* Scope where standard JavaScript objects and our
      * extensions to it are stored. Note that these are not
      * user defined engine level global variables. These are
@@ -63,6 +66,10 @@
 
     static {
         ContextFactory.initGlobal(new ContextFactory() {
+            /**
+             * Create new Context instance to be associated with the current thread.
+             */
+            @Override
             protected Context makeContext() {
                 Context cx = super.makeContext();
                 cx.setClassShutter(RhinoClassShutter.getInstance());
@@ -70,6 +77,41 @@
                 return cx;
             }
 
+
+            /**
+             * Execute top call to script or function. When the runtime is about to 
+             * execute a script or function that will create the first stack frame 
+             * with scriptable code, it calls this method to perform the real call. 
+             * In this way execution of any script happens inside this function.
+             */
+            @Override
+            protected Object doTopCall(final Callable callable,
+                               final Context cx, final Scriptable scope,
+                               final Scriptable thisObj, final Object[] args) {
+                AccessControlContext accCtxt = null;
+                Scriptable global = ScriptableObject.getTopLevelScope(scope);
+                Scriptable globalProto = global.getPrototype();
+                if (globalProto instanceof RhinoTopLevel) {
+                    accCtxt = ((RhinoTopLevel)globalProto).getAccessContext();
+                }
+
+                if (accCtxt != null) {
+                    return AccessController.doPrivileged(new PrivilegedAction<Object>() {
+                        public Object run() {
+                            return superDoTopCall(callable, cx, scope, thisObj, args);
+                        }
+                    }, accCtxt);
+                } else {
+                    return superDoTopCall(callable, cx, scope, thisObj, args);
+                }
+            }
+
+            private  Object superDoTopCall(Callable callable,
+                               Context cx, Scriptable scope,
+                               Scriptable thisObj, Object[] args) {
+                return super.doTopCall(callable, cx, scope, thisObj, args);
+            }
+
             public boolean hasFeature(Context cx, int feature) {
                 // we do not support E4X (ECMAScript for XML)!
                 if (feature == Context.FEATURE_E4X) {
@@ -87,6 +129,10 @@
      */
     public RhinoScriptEngine() {
 
+        if (System.getSecurityManager() != null) {
+            accCtxt = AccessController.getContext();
+        }
+
         Context cx = enterContext();
         try {
             topLevel = new RhinoTopLevel(cx, this);
@@ -314,6 +360,10 @@
         factory = fac;
     }
 
+    AccessControlContext getAccessContext() {
+        return accCtxt;
+    }
+
     Object[] wrapArguments(Object[] args) {
         if (args == null) {
             return Context.emptyArgs;
diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/script/javascript/RhinoTopLevel.java openjdk/jdk/src/share/classes/com/sun/script/javascript/RhinoTopLevel.java
--- openjdk.orig/jdk/src/share/classes/com/sun/script/javascript/RhinoTopLevel.java	2010-06-21 22:15:15.000000000 +0100
+++ openjdk/jdk/src/share/classes/com/sun/script/javascript/RhinoTopLevel.java	2011-10-13 00:10:22.419234150 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 package com.sun.script.javascript;
 
 import sun.org.mozilla.javascript.internal.*;
+import java.security.AccessControlContext;
 import javax.script.*;
 
 /**
@@ -47,7 +48,10 @@
                 "var org = Packages.org;                   \n";
 
     RhinoTopLevel(Context cx, RhinoScriptEngine engine) {
-        super(cx);
+        // second boolean parameter to super constructor tells whether
+        // to seal standard JavaScript objects or not. If security manager
+        // is present, we seal the standard objects.
+        super(cx, System.getSecurityManager() != null);
         this.engine = engine;
 
 
@@ -164,5 +168,9 @@
         return engine;
     }
 
+    AccessControlContext getAccessContext() {
+        return engine.getAccessContext();
+    }
+
     private RhinoScriptEngine engine;
 }