# HG changeset patch # User amurillo # Date 1469121284 0 # Node ID b8b5fb06fb1ac2ca35fed4dc77339926ffbce83a # Parent c3365f0d4a4389a668267830237234c9b1d90f52# Parent a774841b7692ec3b81dca2d731e024380388bef6 Merge diff -r c3365f0d4a43 -r b8b5fb06fb1a corba/src/java.corba/share/classes/com/sun/corba/se/impl/activation/ORBD.java --- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/activation/ORBD.java Thu Jul 21 16:42:57 2016 +0000 +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/activation/ORBD.java Thu Jul 21 17:14:44 2016 +0000 @@ -1,5 +1,4 @@ /* - * * Copyright (c) 1997, 2004, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * @@ -22,7 +21,6 @@ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. - * */ package com.sun.corba.se.impl.activation; diff -r c3365f0d4a43 -r b8b5fb06fb1a corba/src/java.corba/share/classes/com/sun/corba/se/impl/orbutil/ORBUtility.java --- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orbutil/ORBUtility.java Thu Jul 21 16:42:57 2016 +0000 +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orbutil/ORBUtility.java Thu Jul 21 17:14:44 2016 +0000 @@ -34,21 +34,13 @@ import java.security.Policy; import java.security.PrivilegedAction; import java.security.ProtectionDomain; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Map; -import java.util.List; -import java.util.ListIterator; -import java.util.Set; -import java.util.Map.Entry; -import java.util.Collection; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; import java.util.HashMap; import java.util.HashSet; import java.util.Hashtable; import java.util.Iterator; import java.util.Enumeration; -import java.util.Properties; -import java.util.IdentityHashMap; import java.util.StringTokenizer; import java.util.NoSuchElementException; @@ -165,8 +157,18 @@ * Return default ValueHandler */ public static ValueHandler createValueHandler() { + ValueHandler vh; + try { + vh = AccessController.doPrivileged(new PrivilegedExceptionAction() { + public ValueHandler run() throws Exception { return Util.createValueHandler(); } + }); + } catch (PrivilegedActionException e) { + throw new InternalError(e.getCause()); + } + return vh; + } /** * Returns true if it was accurately determined that the remote ORB is @@ -664,7 +666,16 @@ * ValueHandler. */ public static byte getMaxStreamFormatVersion() { - ValueHandler vh = Util.createValueHandler(); + ValueHandler vh; + try { + vh = AccessController.doPrivileged(new PrivilegedExceptionAction() { + public ValueHandler run() throws Exception { + return Util.createValueHandler(); + } + }); + } catch (PrivilegedActionException e) { + throw new InternalError(e.getCause()); + } if (!(vh instanceof javax.rmi.CORBA.ValueHandlerMultiFormat)) return ORBConstants.STREAM_FORMAT_VERSION_1; diff -r c3365f0d4a43 -r b8b5fb06fb1a corba/src/java.corba/share/classes/javax/rmi/CORBA/Util.java --- a/corba/src/java.corba/share/classes/javax/rmi/CORBA/Util.java Thu Jul 21 16:42:57 2016 +0000 +++ b/corba/src/java.corba/share/classes/javax/rmi/CORBA/Util.java Thu Jul 21 17:14:44 2016 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -45,6 +45,7 @@ import java.rmi.Remote; import java.io.File; import java.io.FileInputStream; +import java.io.SerializablePermission; import java.net.MalformedURLException ; import java.security.AccessController; import java.security.PrivilegedAction; @@ -195,6 +196,8 @@ */ public static ValueHandler createValueHandler() { + isCustomSerializationPermitted(); + if (utilDelegate != null) { return utilDelegate.createValueHandler(); } @@ -337,6 +340,7 @@ // security reasons. If you know a better solution how to share this code // then remove it from PortableRemoteObject. Also in Stub.java private static Object createDelegate(String classKey) { + String className = (String) AccessController.doPrivileged(new GetPropertyAction(classKey)); if (className == null) { @@ -345,7 +349,6 @@ className = props.getProperty(classKey); } } - if (className == null) { return new com.sun.corba.se.impl.javax.rmi.CORBA.Util(); } @@ -389,4 +392,14 @@ new GetORBPropertiesFileAction()); } + private static void isCustomSerializationPermitted() { + SecurityManager sm = System.getSecurityManager(); + if ( sm != null) { + // check that a serialization permission has been + // set to allow the loading of the Util delegate + // which provides access to custom ValueHandler + sm.checkPermission(new SerializablePermission( + "enableCustomValueHandler")); } + } +}