7162473: ConstructorFinder/FieldFinder/MethodFinder gives access to restricted classes

Reviewed-by: art, ahgross

7162473: ConstructorFinder/FieldFinder/MethodFinder gives access to restricted classes
Reviewed-by: art, ahgross
01b6efab · malenkov · 0070da84 · 01b6efab · 01b6efab · 01b6efab
3 changed file
--- a/src/share/classes/com/sun/beans/finder/ConstructorFinder.java
+++ b/src/share/classes/com/sun/beans/finder/ConstructorFinder.java
 /*
- * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,8 @@ import com.sun.beans.WeakCache;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Modifier;
+import static sun.reflect.misc.ReflectUtil.isPackageAccessible;
 /**
 * This utility class provides {@code static} methods
 * to find a public constructor with specified parameter types
@@ -61,7 +63,7 @@ public final class ConstructorFinder extends AbstractFinder<Constructor<?>> {
        if (Modifier.isAbstract(type.getModifiers())) {
            throw new NoSuchMethodException("Abstract class cannot be instantiated");
        }
-        if (!Modifier.isPublic(type.getModifiers())) {
+        if (!Modifier.isPublic(type.getModifiers()) || !isPackageAccessible(type)) {
            throw new NoSuchMethodException("Class is not accessible");
        }
        PrimitiveWrapperMap.replacePrimitivesWithWrappers(args);

--- a/src/share/classes/com/sun/beans/finder/FieldFinder.java
+++ b/src/share/classes/com/sun/beans/finder/FieldFinder.java
 /*
- * Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,8 @@ package com.sun.beans.finder;
 import java.lang.reflect.Field;
 import java.lang.reflect.Modifier;
+import static sun.reflect.misc.ReflectUtil.isPackageAccessible;
 /**
 * This utility class provides {@code static} methods
 * to find a public field with specified name
@@ -56,7 +58,8 @@ public final class FieldFinder {
        if (!Modifier.isPublic(field.getModifiers())) {
            throw new NoSuchFieldException("Field '" + name + "' is not public");
        }
-        if (!Modifier.isPublic(field.getDeclaringClass().getModifiers())) {
+        type = field.getDeclaringClass();
+        if (!Modifier.isPublic(type.getModifiers()) || !isPackageAccessible(type)) {
            throw new NoSuchFieldException("Field '" + name + "' is not accessible");
        }
        return field;

--- a/src/share/classes/com/sun/beans/finder/MethodFinder.java
+++ b/src/share/classes/com/sun/beans/finder/MethodFinder.java
 /*
- * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -33,6 +33,8 @@ import java.lang.reflect.ParameterizedType;
 import java.lang.reflect.Type;
 import java.util.Arrays;
+import static sun.reflect.misc.ReflectUtil.isPackageAccessible;
 /**
 * This utility class provides {@code static} methods
 * to find a public method with specified name and parameter types
@@ -120,7 +122,7 @@ public final class MethodFinder extends AbstractFinder<Method> {
     */
    public static Method findAccessibleMethod(Method method) throws NoSuchMethodException {
        Class<?> type = method.getDeclaringClass();
-        if (Modifier.isPublic(type.getModifiers())) {
+        if (Modifier.isPublic(type.getModifiers()) && isPackageAccessible(type)) {
            return method;
        }
        if (Modifier.isStatic(method.getModifiers())) {