Skip to content

D
dragonwell8_jdk

openanolis / dragonwell8_jdk

通知 4
Star 2
Fork 0
D
dragonwell8_jdk
提交 330cc225 编写于 作者: S sjiang
浏览文件
操作

8008615: Improve robustness of JMX internal APIs 

Reviewed-by: dfuchs, skoivu, dholmes
上级 bf522c97
显示空白变更内容
内联 并排
Showing with 8 addition and 3 deletion
src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java
浏览文件 @ 330cc225
...@@ -30,7 +30,7 @@ import java.io.IOException; ...@@ -30,7 +30,7 @@ import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.ObjectInputStream; import java.io.ObjectInputStream;
import java.io.ObjectStreamClass; import java.io.ObjectStreamClass;
import java.io.StreamCorruptedException; import sun.reflect.misc.ReflectUtil;
/** /**
* This class deserializes an object in the context of a specific class loader. * This class deserializes an object in the context of a specific class loader.
...@@ -61,6 +61,7 @@ class ObjectInputStreamWithLoader extends ObjectInputStream { ...@@ -61,6 +61,7 @@ class ObjectInputStreamWithLoader extends ObjectInputStream {
return super.resolveClass(aClass); return super.resolveClass(aClass);
} else { } else {
String name = aClass.getName(); String name = aClass.getName();
ReflectUtil.checkPackageAccess(name);
// Query the class loader ... // Query the class loader ...
return Class.forName(name, false, loader); return Class.forName(name, false, loader);
} }
......
src/share/classes/javax/management/MBeanServerFactory.java
浏览文件 @ 330cc225
...@@ -34,6 +34,7 @@ import java.security.Permission; ...@@ -34,6 +34,7 @@ import java.security.Permission;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.logging.Level; import java.util.logging.Level;
import javax.management.loading.ClassLoaderRepository; import javax.management.loading.ClassLoaderRepository;
import sun.reflect.misc.ReflectUtil;
/** /**
...@@ -446,7 +447,7 @@ public class MBeanServerFactory { ...@@ -446,7 +447,7 @@ public class MBeanServerFactory {
} }
// No context class loader? Try with Class.forName() // No context class loader? Try with Class.forName()
return Class.forName(builderClassName); return ReflectUtil.forName(builderClassName);
} }
/** /**
......
src/share/classes/javax/management/remote/rmi/RMIConnector.java
浏览文件 @ 330cc225
...@@ -103,6 +103,7 @@ import javax.naming.InitialContext; ...@@ -103,6 +103,7 @@ import javax.naming.InitialContext;
import javax.naming.NamingException; import javax.naming.NamingException;
import javax.rmi.ssl.SslRMIClientSocketFactory; import javax.rmi.ssl.SslRMIClientSocketFactory;
import javax.security.auth.Subject; import javax.security.auth.Subject;
import sun.reflect.misc.ReflectUtil;
import sun.rmi.server.UnicastRef2; import sun.rmi.server.UnicastRef2;
import sun.rmi.transport.LiveRef; import sun.rmi.transport.LiveRef;
...@@ -2002,7 +2003,9 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable ...@@ -2002,7 +2003,9 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable
@Override @Override
protected Class<?> resolveClass(ObjectStreamClass classDesc) protected Class<?> resolveClass(ObjectStreamClass classDesc)
throws IOException, ClassNotFoundException { throws IOException, ClassNotFoundException {
return Class.forName(classDesc.getName(), false, loader); String name = classDesc.getName();
ReflectUtil.checkPackageAccess(name);
return Class.forName(name, false, loader);
} }
private final ClassLoader loader; private final ClassLoader loader;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册