From d7fe734be81d2c43649e4ef5b4d18d6182b7752f Mon Sep 17 00:00:00 2001 From: alvdavi Date: Wed, 23 Oct 2019 17:20:02 +0000 Subject: [PATCH] 8231422: Better serial filter handling Reviewed-by: andrew --- src/share/classes/java/lang/System.java | 3 + .../jdk/internal/util/StaticProperty.java | 58 +++++++++++++++++++ .../classes/sun/misc/ObjectInputFilter.java | 4 +- src/share/lib/security/java.security-aix | 4 +- src/share/lib/security/java.security-linux | 4 +- src/share/lib/security/java.security-macosx | 4 +- src/share/lib/security/java.security-solaris | 4 +- src/share/lib/security/java.security-windows | 4 +- .../serialFilter/GlobalFilterTest.java | 30 +++++++--- .../Serializable/serialFilter/security.policy | 2 +- 10 files changed, 97 insertions(+), 20 deletions(-) create mode 100644 src/share/classes/jdk/internal/util/StaticProperty.java diff --git a/src/share/classes/java/lang/System.java b/src/share/classes/java/lang/System.java index 7bc235bef..c568f02ee 100644 --- a/src/share/classes/java/lang/System.java +++ b/src/share/classes/java/lang/System.java @@ -43,6 +43,8 @@ import sun.reflect.Reflection; import sun.security.util.SecurityConstants; import sun.reflect.annotation.AnnotationType; +import jdk.internal.util.StaticProperty; + /** * The System class contains several useful class fields * and methods. It cannot be instantiated. @@ -1183,6 +1185,7 @@ public final class System { lineSeparator = props.getProperty("line.separator"); + StaticProperty.jdkSerialFilter(); // Load StaticProperty to cache the property values sun.misc.Version.init(); FileInputStream fdIn = new FileInputStream(FileDescriptor.in); diff --git a/src/share/classes/jdk/internal/util/StaticProperty.java b/src/share/classes/jdk/internal/util/StaticProperty.java new file mode 100644 index 000000000..1ac81df42 --- /dev/null +++ b/src/share/classes/jdk/internal/util/StaticProperty.java @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package jdk.internal.util; + +/** + * System Property access for internal use only. + * Read-only access to System property values initialized during Phase 1 + * are cached. Setting, clearing, or modifying the value using + * {@link System#setProperty) or {@link System#getProperties()} is ignored. + * {@link SecurityManager#checkPropertyAccess} is NOT checked + * in these access methods. The caller of these methods should take care to ensure + * that the returned property is not made accessible to untrusted code. + */ +public final class StaticProperty { + + // The class static initialization is triggered to initialize these final + // fields during init Phase 1 and before a security manager is set. + private static final String JDK_SERIAL_FILTER = System.getProperty("jdk.serialFilter"); + + private StaticProperty() {} + + /** + * + * Return the {@code jdk.serialFilter} system property. + * + * {@link SecurityManager#checkPropertyAccess} is NOT checked + * in this method. The caller of this method should take care to ensure + * that the returned property is not made accessible to untrusted code. + * + * @return the {@code user.name} system property + */ + public static String jdkSerialFilter() { + return JDK_SERIAL_FILTER; + } +} diff --git a/src/share/classes/sun/misc/ObjectInputFilter.java b/src/share/classes/sun/misc/ObjectInputFilter.java index 9b2c6891d..af21c7400 100644 --- a/src/share/classes/sun/misc/ObjectInputFilter.java +++ b/src/share/classes/sun/misc/ObjectInputFilter.java @@ -37,6 +37,8 @@ import java.util.Optional; import java.util.function.Function; import sun.util.logging.PlatformLogger; +import jdk.internal.util.StaticProperty; + /** * Filter classes, array lengths, and graph metrics during deserialization. * If set on an {@link ObjectInputStream}, the {@link #checkInput checkInput(FilterInfo)} @@ -247,7 +249,7 @@ public interface ObjectInputFilter { static { configuredFilter = AccessController .doPrivileged((PrivilegedAction) () -> { - String props = System.getProperty(SERIAL_FILTER_PROPNAME); + String props = StaticProperty.jdkSerialFilter(); if (props == null) { props = Security.getProperty(SERIAL_FILTER_PROPNAME); } diff --git a/src/share/lib/security/java.security-aix b/src/share/lib/security/java.security-aix index a752a0707..7ae1abdac 100644 --- a/src/share/lib/security/java.security-aix +++ b/src/share/lib/security/java.security-aix @@ -886,8 +886,8 @@ jdk.xml.dsig.secureValidationPolicy=\ # Patterns are separated by ";" (semicolon). # Whitespace is significant and is considered part of the pattern. # -# If the system property jdk.serialFilter is also specified, it supersedes -# the security property value defined here. +# If the system property jdk.serialFilter is also specified on the command +# line, it supersedes the security property value defined here. # # If a pattern includes a "=", it sets a limit. # If a limit appears more than once the last value is used. diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux index c8c8232df..507b78044 100644 --- a/src/share/lib/security/java.security-linux +++ b/src/share/lib/security/java.security-linux @@ -887,8 +887,8 @@ jdk.xml.dsig.secureValidationPolicy=\ # Patterns are separated by ";" (semicolon). # Whitespace is significant and is considered part of the pattern. # -# If the system property jdk.serialFilter is also specified, it supersedes -# the security property value defined here. +# If the system property jdk.serialFilter is also specified on the command +# line, it supersedes the security property value defined here. # # If a pattern includes a "=", it sets a limit. # If a limit appears more than once the last value is used. diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx index 55aa65933..d2229db52 100644 --- a/src/share/lib/security/java.security-macosx +++ b/src/share/lib/security/java.security-macosx @@ -890,8 +890,8 @@ jdk.xml.dsig.secureValidationPolicy=\ # Patterns are separated by ";" (semicolon). # Whitespace is significant and is considered part of the pattern. # -# If the system property jdk.serialFilter is also specified, it supersedes -# the security property value defined here. +# If the system property jdk.serialFilter is also specified on the command +# line, it supersedes the security property value defined here. # # If a pattern includes a "=", it sets a limit. # If a limit appears more than once the last value is used. diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris index a3a796d4d..ed3d0c5f4 100644 --- a/src/share/lib/security/java.security-solaris +++ b/src/share/lib/security/java.security-solaris @@ -889,8 +889,8 @@ jdk.xml.dsig.secureValidationPolicy=\ # Patterns are separated by ";" (semicolon). # Whitespace is significant and is considered part of the pattern. # -# If the system property jdk.serialFilter is also specified, it supersedes -# the security property value defined here. +# If the system property jdk.serialFilter is also specified on the command +# line, it supersedes the security property value defined here. # # If a pattern includes a "=", it sets a limit. # If a limit appears more than once the last value is used. diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows index 623d02e4f..5069b9f1c 100644 --- a/src/share/lib/security/java.security-windows +++ b/src/share/lib/security/java.security-windows @@ -890,8 +890,8 @@ jdk.xml.dsig.secureValidationPolicy=\ # Patterns are separated by ";" (semicolon). # Whitespace is significant and is considered part of the pattern. # -# If the system property jdk.serialFilter is also specified, it supersedes -# the security property value defined here. +# If the system property jdk.serialFilter is also specified on the command +# line, it supersedes the security property value defined here. # # If a pattern includes a "=", it sets a limit. # If a limit appears more than once the last value is used. diff --git a/test/java/io/Serializable/serialFilter/GlobalFilterTest.java b/test/java/io/Serializable/serialFilter/GlobalFilterTest.java index 20503d19e..3810f38d8 100644 --- a/test/java/io/Serializable/serialFilter/GlobalFilterTest.java +++ b/test/java/io/Serializable/serialFilter/GlobalFilterTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -42,9 +42,11 @@ import org.testng.annotations.DataProvider; import sun.misc.ObjectInputFilter; /* @test + * @bug 8231422 * @build GlobalFilterTest SerialFilterTest * @run testng/othervm GlobalFilterTest - * @run testng/othervm -Djdk.serialFilter=java.** GlobalFilterTest + * @run testng/othervm -Djdk.serialFilter=java.** + * -Dexpected-jdk.serialFilter=java.** GlobalFilterTest * @run testng/othervm/policy=security.policy GlobalFilterTest * @run testng/othervm/policy=security.policy * -Djava.security.properties=${test.src}/java.security-extra1 @@ -54,6 +56,10 @@ import sun.misc.ObjectInputFilter; */ @Test public class GlobalFilterTest { + private static final String serialPropName = "jdk.serialFilter"; + private static final String badSerialFilter = "java.lang.StringBuffer;!*"; + private static final String origSerialFilterProperty = + System.setProperty(serialPropName, badSerialFilter); /** * DataProvider of patterns and objects derived from the configured process-wide filter. @@ -62,8 +68,8 @@ public class GlobalFilterTest { @DataProvider(name="globalPatternElements") Object[][] globalPatternElements() { String globalFilter = - System.getProperty("jdk.serialFilter", - Security.getProperty("jdk.serialFilter")); + System.getProperty("expected-" + serialPropName, + Security.getProperty(serialPropName)); if (globalFilter == null) { return new Object[0][]; } @@ -100,12 +106,20 @@ public class GlobalFilterTest { */ @Test() static void globalFilter() { - String pattern = - System.getProperty("jdk.serialFilter", - Security.getProperty("jdk.serialFilter")); ObjectInputFilter filter = ObjectInputFilter.Config.getSerialFilter(); + + // Check that the System.setProperty(jdk.serialFilter) DOES NOT affect the filter. + String asSetSystemProp = System.getProperty(serialPropName, + Security.getProperty(serialPropName)); + Assert.assertNotEquals(Objects.toString(filter, null), asSetSystemProp, + "System.setProperty(\"jdk.serialfilter\", ...) should not change filter: " + + asSetSystemProp); + + String pattern = + System.getProperty("expected-" + serialPropName, + Security.getProperty(serialPropName)); System.out.printf("global pattern: %s, filter: %s%n", pattern, filter); - Assert.assertEquals(pattern, Objects.toString(filter, null), + Assert.assertEquals(Objects.toString(filter, null), pattern, "process-wide filter pattern does not match"); } diff --git a/test/java/io/Serializable/serialFilter/security.policy b/test/java/io/Serializable/serialFilter/security.policy index f986e255e..a79251b3e 100644 --- a/test/java/io/Serializable/serialFilter/security.policy +++ b/test/java/io/Serializable/serialFilter/security.policy @@ -3,7 +3,7 @@ grant { // Specific permission under test permission java.security.SerializablePermission "serialFilter"; // Permissions needed to run the test - permission java.util.PropertyPermission "*", "read"; + permission java.util.PropertyPermission "*", "read,write"; permission java.io.FilePermission "<>", "read,write,delete"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.security.SecurityPermission "*"; -- GitLab