--- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orbutil/ORBUtility.java Wed Jul 05 21:58:29 2017 +0200
+++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orbutil/ORBUtility.java Mon Jan 25 22:32:25 2016 +0000
@@ -34,21 +34,13 @@
import java.security.Policy;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Map;
-import java.util.List;
-import java.util.ListIterator;
-import java.util.Set;
-import java.util.Map.Entry;
-import java.util.Collection;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Enumeration;
-import java.util.Properties;
-import java.util.IdentityHashMap;
import java.util.StringTokenizer;
import java.util.NoSuchElementException;
@@ -165,8 +157,18 @@
* Return default ValueHandler
*/
public static ValueHandler createValueHandler() {
+ ValueHandler vh;
+ try {
+ vh = AccessController.doPrivileged(new PrivilegedExceptionAction<ValueHandler>() {
+ public ValueHandler run() throws Exception {
return Util.createValueHandler();
}
+ });
+ } catch (PrivilegedActionException e) {
+ throw new InternalError(e.getCause());
+ }
+ return vh;
+ }
/**
* Returns true if it was accurately determined that the remote ORB is
@@ -664,7 +666,16 @@
* ValueHandler.
*/
public static byte getMaxStreamFormatVersion() {
- ValueHandler vh = Util.createValueHandler();
+ ValueHandler vh;
+ try {
+ vh = AccessController.doPrivileged(new PrivilegedExceptionAction<ValueHandler>() {
+ public ValueHandler run() throws Exception {
+ return Util.createValueHandler();
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ throw new InternalError(e.getCause());
+ }
if (!(vh instanceof javax.rmi.CORBA.ValueHandlerMultiFormat))
return ORBConstants.STREAM_FORMAT_VERSION_1;
--- a/corba/src/java.corba/share/classes/javax/rmi/CORBA/Util.java Wed Jul 05 21:58:29 2017 +0200
+++ b/corba/src/java.corba/share/classes/javax/rmi/CORBA/Util.java Mon Jan 25 22:32:25 2016 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -45,6 +45,7 @@
import java.rmi.Remote;
import java.io.File;
import java.io.FileInputStream;
+import java.io.SerializablePermission;
import java.net.MalformedURLException ;
import java.security.AccessController;
import java.security.PrivilegedAction;
@@ -195,6 +196,8 @@
*/
public static ValueHandler createValueHandler() {
+ isCustomSerializationPermitted();
+
if (utilDelegate != null) {
return utilDelegate.createValueHandler();
}
@@ -337,6 +340,7 @@
// security reasons. If you know a better solution how to share this code
// then remove it from PortableRemoteObject. Also in Stub.java
private static Object createDelegate(String classKey) {
+
String className = (String)
AccessController.doPrivileged(new GetPropertyAction(classKey));
if (className == null) {
@@ -345,7 +349,6 @@
className = props.getProperty(classKey);
}
}
-
if (className == null) {
return new com.sun.corba.se.impl.javax.rmi.CORBA.Util();
}
@@ -389,4 +392,14 @@
new GetORBPropertiesFileAction());
}
+ private static void isCustomSerializationPermitted() {
+ SecurityManager sm = System.getSecurityManager();
+ if ( sm != null) {
+ // check that a serialization permission has been
+ // set to allow the loading of the Util delegate
+ // which provides access to custom ValueHandler
+ sm.checkPermission(new SerializablePermission(
+ "enableCustomValueHandler"));
}
+ }
+}