Mercurial > hg > release > icedtea7-forest-2.2 > jdk
changeset 2391:3dabb7d5be98
6904691: Java Applet Trusted Methods Chaining Privilege Escalation Vulnerability
Reviewed-by: hawtin, peterz
author | malenkov |
---|---|
date | Tue, 22 Dec 2009 17:56:58 +0300 |
parents | 7a60d100ffa5 |
children | c80b6350de63 |
files | src/share/classes/java/beans/EventHandler.java src/share/classes/java/beans/Statement.java test/java/beans/EventHandler/Test6277246.java test/java/beans/EventHandler/Test6277266.java |
diffstat | 4 files changed, 46 insertions(+), 16 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/java/beans/EventHandler.java Fri Dec 18 09:09:12 2009 -0500 +++ b/src/share/classes/java/beans/EventHandler.java Tue Dec 22 17:56:58 2009 +0300 @@ -32,7 +32,6 @@ import java.security.AccessController; import java.security.PrivilegedAction; -import java.util.EventObject; import sun.reflect.misc.MethodUtil; /** @@ -279,9 +278,9 @@ public class EventHandler implements InvocationHandler { private Object target; private String action; - private String eventPropertyName; - private String listenerMethodName; - private AccessControlContext acc; + private final String eventPropertyName; + private final String listenerMethodName; + private final AccessControlContext acc = AccessController.getContext(); /** * Creates a new <code>EventHandler</code> object; @@ -310,7 +309,6 @@ */ @ConstructorProperties({"target", "action", "eventPropertyName", "listenerMethodName"}) public EventHandler(Object target, String action, String eventPropertyName, String listenerMethodName) { - this.acc = AccessController.getContext(); this.target = target; this.action = action; if (target == null) { @@ -422,7 +420,11 @@ * @see EventHandler */ public Object invoke(final Object proxy, final Method method, final Object[] arguments) { - return AccessController.doPrivileged(new PrivilegedAction() { + AccessControlContext acc = this.acc; + if ((acc == null) && (System.getSecurityManager() != null)) { + throw new SecurityException("AccessControlContext is not set"); + } + return AccessController.doPrivileged(new PrivilegedAction<Object>() { public Object run() { return invokeInternal(proxy, method, arguments); } @@ -482,7 +484,10 @@ throw new RuntimeException(ex); } catch (InvocationTargetException ex) { - throw new RuntimeException(ex.getTargetException()); + Throwable th = ex.getTargetException(); + throw (th instanceof RuntimeException) + ? (RuntimeException) th + : new RuntimeException(th); } } return null;
--- a/src/share/classes/java/beans/Statement.java Fri Dec 18 09:09:12 2009 -0500 +++ b/src/share/classes/java/beans/Statement.java Tue Dec 22 17:56:58 2009 +0300 @@ -29,6 +29,10 @@ import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; +import java.security.AccessControlContext; +import java.security.AccessController; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; import com.sun.beans.finder.ClassFinder; import com.sun.beans.finder.ConstructorFinder; @@ -63,9 +67,10 @@ } }; - Object target; - String methodName; - Object[] arguments; + private final AccessControlContext acc = AccessController.getContext(); + private final Object target; + private final String methodName; + private final Object[] arguments; ClassLoader loader; /** @@ -145,6 +150,26 @@ } Object invoke() throws Exception { + AccessControlContext acc = this.acc; + if ((acc == null) && (System.getSecurityManager() != null)) { + throw new SecurityException("AccessControlContext is not set"); + } + try { + return AccessController.doPrivileged( + new PrivilegedExceptionAction<Object>() { + public Object run() throws Exception { + return invokeInternal(); + } + }, + acc + ); + } + catch (PrivilegedActionException exception) { + throw exception.getException(); + } + } + + private Object invokeInternal() throws Exception { Object target = getTarget(); String methodName = getMethodName();
--- a/test/java/beans/EventHandler/Test6277246.java Fri Dec 18 09:09:12 2009 -0500 +++ b/test/java/beans/EventHandler/Test6277246.java Tue Dec 22 17:56:58 2009 +0300 @@ -1,5 +1,5 @@ /* - * Copyright 2005-2007 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2005-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -49,10 +49,10 @@ catch (NoSuchMethodException exception) { throw new Error("unexpected exception", exception); } + catch (SecurityException exception) { + // expected security exception + } catch (RuntimeException exception) { - if (exception.getCause() instanceof SecurityException) { - return; // expected security exception - } throw new Error("unexpected exception", exception); } }
--- a/test/java/beans/EventHandler/Test6277266.java Fri Dec 18 09:09:12 2009 -0500 +++ b/test/java/beans/EventHandler/Test6277266.java Tue Dec 22 17:56:58 2009 +0300 @@ -1,5 +1,5 @@ /* - * Copyright 2005-2007 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2005-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -51,7 +51,7 @@ ); throw new Error("SecurityException expected"); } catch (InvocationTargetException exception) { - if (exception.getCause().getCause() instanceof SecurityException){ + if (exception.getCause() instanceof SecurityException){ return; // expected security exception } throw new Error("unexpected exception", exception);