summaryrefslogtreecommitdiff
path: root/java/jdk16/files/patch-j2se-util-Calendar.java
diff options
context:
space:
mode:
authorGreg Lewis <glewis@FreeBSD.org>2009-03-05 05:37:21 +0000
committerGreg Lewis <glewis@FreeBSD.org>2009-03-05 05:37:21 +0000
commit64f95ae234da3181ca6928bbcbf299607825d573 (patch)
tree9ba7b51fec94ff1a2e8deb54a9a57b96d32fcf1a /java/jdk16/files/patch-j2se-util-Calendar.java
parentUpdate to 2.5.5. See http://developer.pidgin.im/wiki/ChangeLog for a list (diff)
. Fix a security hole in the Calendar class which allows the elevation of
permissions within the Java security model. http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1 Submitted by: Kurt Miller <kurt@intricatesoftware.com> Obtained from: OpenBSD
Notes
Notes: svn path=/head/; revision=229509
Diffstat (limited to '')
-rw-r--r--java/jdk16/files/patch-j2se-util-Calendar.java93
1 files changed, 93 insertions, 0 deletions
diff --git a/java/jdk16/files/patch-j2se-util-Calendar.java b/java/jdk16/files/patch-j2se-util-Calendar.java
new file mode 100644
index 000000000000..850cb2d2869a
--- /dev/null
+++ b/java/jdk16/files/patch-j2se-util-Calendar.java
@@ -0,0 +1,93 @@
+$FreeBSD$
+
+--- ../../j2se/src/share/classes/java/util/Calendar.java.orig Tue Sep 25 00:44:04 2007
++++ ../../j2se/src/share/classes/java/util/Calendar.java Sat Feb 28 09:35:28 2009
+@@ -23,9 +23,14 @@ package java.util;
+ import java.io.IOException;
+ import java.io.ObjectInputStream;
+ import java.io.ObjectOutputStream;
++import java.io.OptionalDataException;
+ import java.io.Serializable;
++import java.security.AccessControlContext;
+ import java.security.AccessController;
++import java.security.PermissionCollection;
++import java.security.PrivilegedActionException;
+ import java.security.PrivilegedExceptionAction;
++import java.security.ProtectionDomain;
+ import java.text.DateFormat;
+ import java.text.DateFormatSymbols;
+ import sun.util.BuddhistCalendar;
+@@ -2599,6 +2604,18 @@ public abstract class Calendar implements Serializable
+ }
+ }
+
++ private static class CalendarAccessControlContext {
++ private static final AccessControlContext INSTANCE;
++ static {
++ RuntimePermission perm = new RuntimePermission("accessClassInPackage.sun.util.calendar");
++ PermissionCollection perms = perm.newPermissionCollection();
++ perms.add(perm);
++ INSTANCE = new AccessControlContext(new ProtectionDomain[] {
++ new ProtectionDomain(null, perms)
++ });
++ }
++ }
++
+ /**
+ * Reconstitutes this object from a stream (i.e., deserialize it).
+ */
+@@ -2628,18 +2645,31 @@ public abstract class Calendar implements Serializable
+ serialVersionOnStream = currentSerialVersion;
+
+ // If there's a ZoneInfo object, use it for zone.
++ ZoneInfo zi = null;
+ try {
+- ZoneInfo zi = (ZoneInfo) AccessController.doPrivileged(
+- new PrivilegedExceptionAction() {
+- public Object run() throws Exception {
+- return input.readObject();
+- }
+- });
+- if (zi != null) {
+- zone = zi;
+- }
+- } catch (Exception e) {
++ zi = AccessController.doPrivileged(
++ new PrivilegedExceptionAction<ZoneInfo>() {
++ public ZoneInfo run() throws Exception {
++ return (ZoneInfo) input.readObject();
++ }
++ },
++ CalendarAccessControlContext.INSTANCE);
++ } catch (PrivilegedActionException pae) {
++ Exception e = pae.getException();
++ if (!(e instanceof OptionalDataException)) {
++ if (e instanceof RuntimeException) {
++ throw (RuntimeException) e;
++ } else if (e instanceof IOException) {
++ throw (IOException) e;
++ } else if (e instanceof ClassNotFoundException) {
++ throw (ClassNotFoundException) e;
++ }
++ throw new RuntimeException(e);
++ }
+ }
++ if (zi != null) {
++ zone = zi;
++ }
+
+ // If the deserialized object has a SimpleTimeZone, try to
+ // replace it with a ZoneInfo equivalent (as of 1.4) in order
+@@ -2647,9 +2677,9 @@ public abstract class Calendar implements Serializable
+ // implementation as much as possible.
+ if (zone instanceof SimpleTimeZone) {
+ String id = zone.getID();
+- TimeZone zi = TimeZone.getTimeZone(id);
+- if (zi != null && zi.hasSameRules(zone) && zi.getID().equals(id)) {
+- zone = zi;
++ TimeZone tz = TimeZone.getTimeZone(id);
++ if (tz != null && tz.hasSameRules(zone) && tz.getID().equals(id)) {
++ zone = tz;
+ }
+ }
+ }