summaryrefslogtreecommitdiff
path: root/java/openjdk6/files/icedtea/security/20130618/8008132-better_serialization.patch
diff options
context:
space:
mode:
Diffstat (limited to 'java/openjdk6/files/icedtea/security/20130618/8008132-better_serialization.patch')
-rw-r--r--java/openjdk6/files/icedtea/security/20130618/8008132-better_serialization.patch121
1 files changed, 121 insertions, 0 deletions
diff --git a/java/openjdk6/files/icedtea/security/20130618/8008132-better_serialization.patch b/java/openjdk6/files/icedtea/security/20130618/8008132-better_serialization.patch
new file mode 100644
index 000000000000..9d2605eab931
--- /dev/null
+++ b/java/openjdk6/files/icedtea/security/20130618/8008132-better_serialization.patch
@@ -0,0 +1,121 @@
+# HG changeset patch
+# User Severin Gehwolf <sgehwolf@redhat.com>
+# Date 1371476865 -7200
+# Node ID 5dd7618fd14c647d21d765fcc2431c9ee6289ae4
+# Parent 60c57caf0348c7eed93900e4395607af759e6ba9
+8008132: Better serialization support
+Reviewed-by: alanb, hawtin
+
+diff --git a/src/share/classes/java/io/ObjectOutputStream.java b/src/share/classes/java/io/ObjectOutputStream.java
+--- jdk/src/share/classes/java/io/ObjectOutputStream.java
++++ jdk/src/share/classes/java/io/ObjectOutputStream.java
+@@ -36,6 +36,7 @@
+ import java.util.concurrent.ConcurrentMap;
+ import static java.io.ObjectStreamClass.processQueue;
+ import java.io.SerialCallbackContext;
++import sun.reflect.misc.ReflectUtil;
+
+ /**
+ * An ObjectOutputStream writes primitive data types and graphs of Java objects
+@@ -1228,6 +1229,12 @@
+ }
+ }
+
++ private boolean isCustomSubclass() {
++ // Return true if this class is a custom subclass of ObjectOutputStream
++ return getClass().getClassLoader()
++ != ObjectOutputStream.class.getClassLoader();
++ }
++
+ /**
+ * Writes class descriptor representing a dynamic proxy class to stream.
+ */
+@@ -1245,6 +1252,9 @@
+ }
+
+ bout.setBlockDataMode(true);
++ if (isCustomSubclass()) {
++ ReflectUtil.checkPackageAccess(cl);
++ }
+ annotateProxyClass(cl);
+ bout.setBlockDataMode(false);
+ bout.writeByte(TC_ENDBLOCKDATA);
+@@ -1271,6 +1281,9 @@
+
+ Class cl = desc.forClass();
+ bout.setBlockDataMode(true);
++ if (isCustomSubclass()) {
++ ReflectUtil.checkPackageAccess(cl);
++ }
+ annotateClass(cl);
+ bout.setBlockDataMode(false);
+ bout.writeByte(TC_ENDBLOCKDATA);
+diff --git a/src/share/classes/java/io/ObjectStreamClass.java b/src/share/classes/java/io/ObjectStreamClass.java
+--- jdk/src/share/classes/java/io/ObjectStreamClass.java
++++ jdk/src/share/classes/java/io/ObjectStreamClass.java
+@@ -50,6 +50,7 @@
+ import java.util.concurrent.ConcurrentMap;
+ import sun.misc.Unsafe;
+ import sun.reflect.ReflectionFactory;
++import sun.reflect.misc.ReflectUtil;
+
+ /**
+ * Serialization's descriptor for classes. It contains the name and
+@@ -234,6 +235,13 @@
+ * @return the <code>Class</code> instance that this descriptor represents
+ */
+ public Class<?> forClass() {
++ if (cl == null) {
++ return null;
++ }
++ ClassLoader ccl = ObjectStreamField.getCallerClassLoader();
++ if (ReflectUtil.needsPackageAccessCheck(ccl, cl.getClassLoader())) {
++ ReflectUtil.checkPackageAccess(cl);
++ }
+ return cl;
+ }
+
+diff --git a/src/share/classes/java/io/ObjectStreamField.java b/src/share/classes/java/io/ObjectStreamField.java
+--- jdk/src/share/classes/java/io/ObjectStreamField.java
++++ jdk/src/share/classes/java/io/ObjectStreamField.java
+@@ -26,6 +26,8 @@
+ package java.io;
+
+ import java.lang.reflect.Field;
++import sun.reflect.Reflection;
++import sun.reflect.misc.ReflectUtil;
+
+ /**
+ * A description of a Serializable field from a Serializable class. An array
+@@ -158,9 +160,31 @@
+ * serializable field
+ */
+ public Class<?> getType() {
++ ClassLoader ccl = getCallerClassLoader();
++ if (ReflectUtil.needsPackageAccessCheck(ccl, type.getClassLoader())) {
++ ReflectUtil.checkPackageAccess(type);
++ }
+ return type;
+ }
+
++ // Returns the invoker's class loader.
++ // This is package private because it is accessed from ObjectStreamClass.
++ // NOTE: This must always be invoked when there is exactly one intervening
++ // frame from the core libraries on the stack between this method's
++ // invocation and the desired invoker. The frame count of 3 is determined
++ // as follows:
++ //
++ // 0: Reflection.getCallerClass
++ // 1: getCallerClassLoader()
++ // 2: ObjectStreamField.getType() or ObjectStreamClass.forClass()
++ // 3: the caller we want to check
++ //
++ // NOTE: copied from java.lang.ClassLoader and modified.
++ static ClassLoader getCallerClassLoader() {
++ Class caller = Reflection.getCallerClass(3);
++ return caller.getClassLoader();
++ }
++
+ /**
+ * Returns character encoding of field type. The encoding is as follows:
+ * <blockquote><pre>
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 02:02:25 +0000