7162476: XMLDecoder security issue via ClassFinder

Reviewed-by: art, ahgross

7162476: XMLDecoder security issue via ClassFinder
Reviewed-by: art, ahgross
e8775990 · malenkov · 01b6efab · e8775990 · 01b6efab · e8775990
21 changed file
--- a/make/sun/Makefile
+++ b/make/sun/Makefile
@@ -87,7 +87,7 @@ else
 endif
 SUBDIRS_desktop    = audio $(RENDER_SUBDIR) image \
                     $(LWAWT_PRE_SUBDIR) $(DISPLAY_LIBS) $(DGA_SUBDIR) $(LWAWT_SUBDIR) \
-                     jawt font jpeg cmm $(DISPLAY_TOOLS) beans
+                     jawt font jpeg cmm $(DISPLAY_TOOLS)
 SUBDIRS_management = management
 SUBDIRS_misc       = $(ORG_SUBDIR) rmi $(JDBC_SUBDIR) tracing
 SUBDIRS_tools      = native2ascii serialver tools jconsole

--- a/make/sun/beans/Makefile
+++ b/make/sun/beans/Makefile
-#
-# Copyright (c) 1997, 2005, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.  Oracle designates this
-# particular file as subject to the "Classpath" exception as provided
-# by Oracle in the LICENSE file that accompanied this code.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-#
-# Makefile for building sun.beans.*
-#
-
-BUILDDIR = ../..
-PACKAGE = sun.beans
-PRODUCT = sun
-include $(BUILDDIR)/common/Defs.gmk
-
-#
-# Files
-#
-AUTO_FILES_JAVA_DIRS = sun/beans
-
-#
-# Rules
-#
-include $(BUILDDIR)/common/Classes.gmk
--- a/src/share/classes/sun/beans/editors/BooleanEditor.java
+++ b/src/share/classes/sun/beans/editors/BooleanEditor.java
 /*
- * Copyright (c) 2006, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 * questions.
 */

-package sun.beans.editors;
+package com.sun.beans.editors;

 /**
 * Property editor for a java builtin "boolean" type.

--- a/src/share/classes/sun/beans/editors/ByteEditor.java
+++ b/src/share/classes/sun/beans/editors/ByteEditor.java
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 * questions.
 */

-package sun.beans.editors;
+package com.sun.beans.editors;

 /**
 * Property editor for a java builtin "byte" type.

--- a/src/share/classes/sun/beans/editors/ColorEditor.java
+++ b/src/share/classes/sun/beans/editors/ColorEditor.java
 /*
- * Copyright (c) 1996, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 * questions.
 */

-package sun.beans.editors;
+package com.sun.beans.editors;

 import java.awt.*;
 import java.beans.*;

--- a/src/share/classes/sun/beans/editors/DoubleEditor.java
+++ b/src/share/classes/sun/beans/editors/DoubleEditor.java
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 * questions.
 */

-package sun.beans.editors;
+package com.sun.beans.editors;

 /**
 * Property editor for a java builtin "double" type.

--- a/src/share/classes/sun/beans/editors/EnumEditor.java
+++ b/src/share/classes/sun/beans/editors/EnumEditor.java
 /*
- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -22,7 +22,7 @@
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */
-package sun.beans.editors;
+package com.sun.beans.editors;

 import java.awt.Component;
 import java.awt.Graphics;

--- a/src/share/classes/sun/beans/editors/FloatEditor.java
+++ b/src/share/classes/sun/beans/editors/FloatEditor.java
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 * questions.
 */

-package sun.beans.editors;
+package com.sun.beans.editors;

 /**
 * Property editor for a java builtin "float" type.

--- a/src/share/classes/sun/beans/editors/FontEditor.java
+++ b/src/share/classes/sun/beans/editors/FontEditor.java
 /*
- * Copyright (c) 1996, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 * questions.
 */

-package sun.beans.editors;
+package com.sun.beans.editors;

 import java.awt.*;
 import java.beans.*;

--- a/src/share/classes/sun/beans/editors/IntegerEditor.java
+++ b/src/share/classes/sun/beans/editors/IntegerEditor.java
 /*
- * Copyright (c) 2006, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 * questions.
 */

-package sun.beans.editors;
+package com.sun.beans.editors;

 /**
 * Property editor for a java builtin "int" type.

--- a/src/share/classes/sun/beans/editors/LongEditor.java
+++ b/src/share/classes/sun/beans/editors/LongEditor.java
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 * questions.
 */

-package sun.beans.editors;
+package com.sun.beans.editors;

 /**
 * Property editor for a java builtin "long" type.

--- a/src/share/classes/sun/beans/editors/NumberEditor.java
+++ b/src/share/classes/sun/beans/editors/NumberEditor.java
 /*
- * Copyright (c) 1996, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 * questions.
 */

-package sun.beans.editors;
+package com.sun.beans.editors;

 /**
 * Abstract Property editor for a java builtin number types.

--- a/src/share/classes/sun/beans/editors/ShortEditor.java
+++ b/src/share/classes/sun/beans/editors/ShortEditor.java
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -24,7 +24,7 @@
 */


-package sun.beans.editors;
+package com.sun.beans.editors;

 /**
 * Property editor for a java builtin "short" type.

--- a/src/share/classes/sun/beans/editors/StringEditor.java
+++ b/src/share/classes/sun/beans/editors/StringEditor.java
 /*
- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -24,7 +24,7 @@
 */


-package sun.beans.editors;
+package com.sun.beans.editors;

 import java.beans.*;


--- a/src/share/classes/com/sun/beans/finder/BeanInfoFinder.java
+++ b/src/share/classes/com/sun/beans/finder/BeanInfoFinder.java
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -42,6 +42,7 @@ public final class BeanInfoFinder
        extends InstanceFinder<BeanInfo> {

    private static final String DEFAULT = "sun.beans.infos";
+    private static final String DEFAULT_NEW = "com.sun.beans.infos";

    public BeanInfoFinder() {
        super(BeanInfo.class, true, "BeanInfo", DEFAULT);
@@ -53,10 +54,13 @@ public final class BeanInfoFinder

    @Override
    protected BeanInfo instantiate(Class<?> type, String prefix, String name) {
+        if (DEFAULT.equals(prefix)) {
+            prefix = DEFAULT_NEW;
+        }
        // this optimization will only use the BeanInfo search path
        // if is has changed from the original
        // or trying to get the ComponentBeanInfo
-        BeanInfo info = !DEFAULT.equals(prefix) || "ComponentBeanInfo".equals(name)
+        BeanInfo info = !DEFAULT_NEW.equals(prefix) || "ComponentBeanInfo".equals(name)
                ? super.instantiate(type, prefix, name)
                : null;


--- a/src/share/classes/com/sun/beans/finder/ClassFinder.java
+++ b/src/share/classes/com/sun/beans/finder/ClassFinder.java
 /*
- * Copyright (c) 2006, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -24,6 +24,8 @@
 */
 package com.sun.beans.finder;

+import static sun.reflect.misc.ReflectUtil.checkPackageAccess;
+
 /**
 * This is utility class that provides {@code static} methods
 * to find a class with the specified name using the specified class loader.
@@ -54,6 +56,7 @@ public final class ClassFinder {
     * @see Thread#getContextClassLoader()
     */
    public static Class<?> findClass(String name) throws ClassNotFoundException {
+        checkPackageAccess(name);
        try {
            ClassLoader loader = Thread.currentThread().getContextClassLoader();
            if (loader == null) {
@@ -94,6 +97,7 @@ public final class ClassFinder {
     * @see Class#forName(String,boolean,ClassLoader)
     */
    public static Class<?> findClass(String name, ClassLoader loader) throws ClassNotFoundException {
+        checkPackageAccess(name);
        if (loader != null) {
            try {
                return Class.forName(name, false, loader);

--- a/src/share/classes/com/sun/beans/finder/PropertyEditorFinder.java
+++ b/src/share/classes/com/sun/beans/finder/PropertyEditorFinder.java
 /*
- * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -28,14 +28,14 @@ import com.sun.beans.WeakCache;

 import java.beans.PropertyEditor;

-import sun.beans.editors.BooleanEditor;
-import sun.beans.editors.ByteEditor;
-import sun.beans.editors.DoubleEditor;
-import sun.beans.editors.EnumEditor;
-import sun.beans.editors.FloatEditor;
-import sun.beans.editors.IntegerEditor;
-import sun.beans.editors.LongEditor;
-import sun.beans.editors.ShortEditor;
+import com.sun.beans.editors.BooleanEditor;
+import com.sun.beans.editors.ByteEditor;
+import com.sun.beans.editors.DoubleEditor;
+import com.sun.beans.editors.EnumEditor;
+import com.sun.beans.editors.FloatEditor;
+import com.sun.beans.editors.IntegerEditor;
+import com.sun.beans.editors.LongEditor;
+import com.sun.beans.editors.ShortEditor;

 /**
 * This is utility class that provides functionality
@@ -48,10 +48,13 @@ import sun.beans.editors.ShortEditor;
 public final class PropertyEditorFinder
        extends InstanceFinder<PropertyEditor> {

+    private static final String DEFAULT = "sun.beans.editors";
+    private static final String DEFAULT_NEW = "com.sun.beans.editors";
+
    private final WeakCache<Class<?>, Class<?>> registry;

    public PropertyEditorFinder() {
-        super(PropertyEditor.class, false, "Editor", "sun.beans.editors");
+        super(PropertyEditor.class, false, "Editor", DEFAULT);

        this.registry = new WeakCache<Class<?>, Class<?>>();
        this.registry.put(Byte.TYPE, ByteEditor.class);
@@ -84,4 +87,9 @@ public final class PropertyEditorFinder
        }
        return editor;
    }
+
+    @Override
+    protected PropertyEditor instantiate(Class<?> type, String prefix, String name) {
+        return super.instantiate(type, DEFAULT.equals(prefix) ? DEFAULT_NEW : prefix, name);
+    }
 }
--- a/src/share/classes/sun/beans/infos/ComponentBeanInfo.java
+++ b/src/share/classes/sun/beans/infos/ComponentBeanInfo.java
 /*
- * Copyright (c) 1996, 2002, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 * questions.
 */

-package sun.beans.infos;
+package com.sun.beans.infos;

 import java.beans.*;


--- a/test/java/beans/Introspector/4520754/Test4520754.java
+++ b/test/java/beans/Introspector/4520754/Test4520754.java
 /*
- * Copyright (c) 2002, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -58,7 +58,7 @@ public class Test4520754 {
    public static void main(String[] args) {
        // ensure that 4168475 does not regress
        test4168475(Component.class);
-        // AWT classes (sun.beans.infos.ComponentBeanInfo)
+        // AWT classes (com.sun.beans.infos.ComponentBeanInfo)
        test(null, Button.class, Component.class, List.class, Menu.class, Panel.class);
        // Swing classes (dt.jar)
        test(null, JApplet.class, JButton.class, JCheckBox.class);

--- a/test/java/beans/PropertyEditor/6380849/TestPropertyEditor.java
+++ b/test/java/beans/PropertyEditor/6380849/TestPropertyEditor.java
 /**
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -36,17 +36,17 @@ import java.awt.Font;
 import java.beans.PropertyEditor;
 import java.beans.PropertyEditorManager;

-import sun.beans.editors.BooleanEditor;
-import sun.beans.editors.ByteEditor;
-import sun.beans.editors.ColorEditor;
-import sun.beans.editors.DoubleEditor;
-import sun.beans.editors.EnumEditor;
-import sun.beans.editors.FloatEditor;
-import sun.beans.editors.FontEditor;
-import sun.beans.editors.IntegerEditor;
-import sun.beans.editors.LongEditor;
-import sun.beans.editors.ShortEditor;
-import sun.beans.editors.StringEditor;
+import com.sun.beans.editors.BooleanEditor;
+import com.sun.beans.editors.ByteEditor;
+import com.sun.beans.editors.ColorEditor;
+import com.sun.beans.editors.DoubleEditor;
+import com.sun.beans.editors.EnumEditor;
+import com.sun.beans.editors.FloatEditor;
+import com.sun.beans.editors.FontEditor;
+import com.sun.beans.editors.IntegerEditor;
+import com.sun.beans.editors.LongEditor;
+import com.sun.beans.editors.ShortEditor;
+import com.sun.beans.editors.StringEditor;

 public class TestPropertyEditor implements Runnable {


--- a/test/java/beans/PropertyEditor/Test6963811.java
+++ b/test/java/beans/PropertyEditor/Test6963811.java
 /*
- * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -29,7 +29,7 @@
 */

 import java.beans.PropertyEditorManager;
-import sun.beans.editors.StringEditor;
+import com.sun.beans.editors.StringEditor;

 public class Test6963811 implements Runnable {
    private final long time;