From 330cc2252b2bb8f88e377726f8c145819c56be46 Mon Sep 17 00:00:00 2001 From: sjiang Date: Tue, 26 Mar 2013 08:32:16 +0100 Subject: [PATCH] 8008615: Improve robustness of JMX internal APIs Reviewed-by: dfuchs, skoivu, dholmes --- .../com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java | 3 ++- src/share/classes/javax/management/MBeanServerFactory.java | 3 ++- .../classes/javax/management/remote/rmi/RMIConnector.java | 5 ++++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java b/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java index 6330b9c28..3e8cb71a5 100644 --- a/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java +++ b/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java @@ -30,7 +30,7 @@ import java.io.IOException; import java.io.InputStream; import java.io.ObjectInputStream; import java.io.ObjectStreamClass; -import java.io.StreamCorruptedException; +import sun.reflect.misc.ReflectUtil; /** * This class deserializes an object in the context of a specific class loader. @@ -61,6 +61,7 @@ class ObjectInputStreamWithLoader extends ObjectInputStream { return super.resolveClass(aClass); } else { String name = aClass.getName(); + ReflectUtil.checkPackageAccess(name); // Query the class loader ... return Class.forName(name, false, loader); } diff --git a/src/share/classes/javax/management/MBeanServerFactory.java b/src/share/classes/javax/management/MBeanServerFactory.java index d6f133a0b..1e0ad2fb9 100644 --- a/src/share/classes/javax/management/MBeanServerFactory.java +++ b/src/share/classes/javax/management/MBeanServerFactory.java @@ -34,6 +34,7 @@ import java.security.Permission; import java.util.ArrayList; import java.util.logging.Level; import javax.management.loading.ClassLoaderRepository; +import sun.reflect.misc.ReflectUtil; /** @@ -446,7 +447,7 @@ public class MBeanServerFactory { } // No context class loader? Try with Class.forName() - return Class.forName(builderClassName); + return ReflectUtil.forName(builderClassName); } /** diff --git a/src/share/classes/javax/management/remote/rmi/RMIConnector.java b/src/share/classes/javax/management/remote/rmi/RMIConnector.java index b3a4558d4..53e6754e6 100644 --- a/src/share/classes/javax/management/remote/rmi/RMIConnector.java +++ b/src/share/classes/javax/management/remote/rmi/RMIConnector.java @@ -103,6 +103,7 @@ import javax.naming.InitialContext; import javax.naming.NamingException; import javax.rmi.ssl.SslRMIClientSocketFactory; import javax.security.auth.Subject; +import sun.reflect.misc.ReflectUtil; import sun.rmi.server.UnicastRef2; import sun.rmi.transport.LiveRef; @@ -2002,7 +2003,9 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable @Override protected Class resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { - return Class.forName(classDesc.getName(), false, loader); + String name = classDesc.getName(); + ReflectUtil.checkPackageAccess(name); + return Class.forName(name, false, loader); } private final ClassLoader loader; -- GitLab