Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8008615: Improve robustness of JMX internal APIs
authorsjiang
Tue, 26 Mar 2013 08:32:16 +0100
changeset 18206 136373d8d805
parent 18205 17a6d802d24a
child 18207 64dcc0ad2298
8008615: Improve robustness of JMX internal APIs Reviewed-by: dfuchs, skoivu, dholmes
jdk/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java file | annotate | diff | comparison | revisions
jdk/src/share/classes/javax/management/MBeanServerFactory.java file | annotate | diff | comparison | revisions
jdk/src/share/classes/javax/management/remote/rmi/RMIConnector.java file | annotate | diff | comparison | revisions 
--- a/jdk/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java	Tue Mar 26 09:12:18 2013 +0100
+++ b/jdk/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java	Tue Mar 26 08:32:16 2013 +0100
@@ -30,7 +30,7 @@
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.io.ObjectStreamClass;
-import java.io.StreamCorruptedException;
+import sun.reflect.misc.ReflectUtil;
 
 /**
  * This class deserializes an object in the context of a specific class loader.
@@ -61,6 +61,7 @@
             return super.resolveClass(aClass);
         } else {
             String name = aClass.getName();
+            ReflectUtil.checkPackageAccess(name);
             // Query the class loader ...
             return Class.forName(name, false, loader);
         }
--- a/jdk/src/share/classes/javax/management/MBeanServerFactory.java	Tue Mar 26 09:12:18 2013 +0100
+++ b/jdk/src/share/classes/javax/management/MBeanServerFactory.java	Tue Mar 26 08:32:16 2013 +0100
@@ -34,6 +34,7 @@
 import java.util.ArrayList;
 import java.util.logging.Level;
 import javax.management.loading.ClassLoaderRepository;
+import sun.reflect.misc.ReflectUtil;
 
 
 /**
@@ -446,7 +447,7 @@
         }
 
         // No context class loader? Try with Class.forName()
-        return Class.forName(builderClassName);
+        return ReflectUtil.forName(builderClassName);
     }
 
     /**
--- a/jdk/src/share/classes/javax/management/remote/rmi/RMIConnector.java	Tue Mar 26 09:12:18 2013 +0100
+++ b/jdk/src/share/classes/javax/management/remote/rmi/RMIConnector.java	Tue Mar 26 08:32:16 2013 +0100
@@ -103,6 +103,7 @@
 import javax.naming.NamingException;
 import javax.rmi.ssl.SslRMIClientSocketFactory;
 import javax.security.auth.Subject;
+import sun.reflect.misc.ReflectUtil;
 import sun.rmi.server.UnicastRef2;
 import sun.rmi.transport.LiveRef;
 
@@ -2002,7 +2003,9 @@
         @Override
         protected Class<?> resolveClass(ObjectStreamClass classDesc)
                 throws IOException, ClassNotFoundException {
-            return Class.forName(classDesc.getName(), false, loader);
+            String name = classDesc.getName();
+            ReflectUtil.checkPackageAccess(name);
+            return Class.forName(name, false, loader);
         }
 
         private final ClassLoader loader;
jdk-sandbox