diff -r 0b738aef65d0 -r e4c4b4fb2723 jdk/src/java.desktop/share/classes/java/beans/Statement.java --- a/jdk/src/java.desktop/share/classes/java/beans/Statement.java Mon Jun 06 16:23:37 2016 +0300 +++ b/jdk/src/java.desktop/share/classes/java/beans/Statement.java Mon Jun 06 18:28:46 2016 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -39,6 +39,8 @@ import com.sun.beans.finder.MethodFinder; import sun.reflect.misc.MethodUtil; +import static sun.reflect.misc.ReflectUtil.checkPackageAccess; + /** * A {@code Statement} object represents a primitive statement * in which a single method is applied to a target and @@ -205,12 +207,22 @@ Object[] arguments = getArguments(); if (arguments == null) { arguments = emptyArray; + } else { + arguments = arguments.clone(); } - // Class.forName() won't load classes outside - // of core from a class inside core. Special - // case this method. if (target == Class.class && methodName.equals("forName")) { - return ClassFinder.resolveClass((String)arguments[0], this.loader); + final String name = (String) arguments[0]; + if (arguments.length == 1) { + // Class.forName(String className) won't load classes outside + // of core from a class inside core. Special + // case this method. + // checkPackageAccess(name) will be called by ClassFinder + return ClassFinder.resolveClass(name, this.loader); + } + // The 3 args Class.forName(String className, boolean, classloader) + // requires getClassLoader permission, but we will be stricter and + // will require access to the package as well. + checkPackageAccess(name); } Class[] argClasses = new Class[arguments.length]; for(int i = 0; i < arguments.length; i++) {