8008615: Improve robustness of JMX internal APIs

Reviewed-by: dfuchs, skoivu, dholmes

8008615: Improve robustness of JMX internal APIs
Reviewed-by: dfuchs, skoivu, dholmes
330cc225 · sjiang · bf522c97 · 330cc225 · 330cc225 · 330cc225
3 changed file
--- a/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java
+++ b/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java
@@ -30,7 +30,7 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.io.ObjectStreamClass;
-import java.io.StreamCorruptedException;
+import sun.reflect.misc.ReflectUtil;

 /**
 * This class deserializes an object in the context of a specific class loader.
@@ -61,6 +61,7 @@ class ObjectInputStreamWithLoader extends ObjectInputStream {
            return super.resolveClass(aClass);
        } else {
            String name = aClass.getName();
+            ReflectUtil.checkPackageAccess(name);
            // Query the class loader ...
            return Class.forName(name, false, loader);
        }

--- a/src/share/classes/javax/management/MBeanServerFactory.java
+++ b/src/share/classes/javax/management/MBeanServerFactory.java
@@ -34,6 +34,7 @@ import java.security.Permission;
 import java.util.ArrayList;
 import java.util.logging.Level;
 import javax.management.loading.ClassLoaderRepository;
+import sun.reflect.misc.ReflectUtil;


 /**
@@ -446,7 +447,7 @@ public class MBeanServerFactory {
        }

        // No context class loader? Try with Class.forName()
-        return Class.forName(builderClassName);
+        return ReflectUtil.forName(builderClassName);
    }

    /**

--- a/src/share/classes/javax/management/remote/rmi/RMIConnector.java
+++ b/src/share/classes/javax/management/remote/rmi/RMIConnector.java
@@ -103,6 +103,7 @@ import javax.naming.InitialContext;
 import javax.naming.NamingException;
 import javax.rmi.ssl.SslRMIClientSocketFactory;
 import javax.security.auth.Subject;
+import sun.reflect.misc.ReflectUtil;
 import sun.rmi.server.UnicastRef2;
 import sun.rmi.transport.LiveRef;

@@ -2002,7 +2003,9 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable
        @Override
        protected Class<?> resolveClass(ObjectStreamClass classDesc)
                throws IOException, ClassNotFoundException {
-            return Class.forName(classDesc.getName(), false, loader);
+            String name = classDesc.getName();
+            ReflectUtil.checkPackageAccess(name);
+            return Class.forName(name, false, loader);
        }

        private final ClassLoader loader;