# HG changeset patch # User amenkov # Date 1242210734 -14400 # Node ID e18ac2718a066a296c9ff7f0ae91f381d794d07f # Parent 22d903fd3c5ecaffb6fdcbe34ab3d46c907cfbe7 6738524: JDK13Services allows read access to system properties from untrusted code Reviewed-by: hawtin diff -r 22d903fd3c5e -r e18ac2718a06 jdk/src/share/classes/com/sun/media/sound/JDK13Services.java --- a/jdk/src/share/classes/com/sun/media/sound/JDK13Services.java Wed May 13 13:52:52 2009 +0400 +++ b/jdk/src/share/classes/com/sun/media/sound/JDK13Services.java Wed May 13 14:32:14 2009 +0400 @@ -1,5 +1,5 @@ /* - * Copyright 1999-2007 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 1999-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -41,6 +41,15 @@ import javax.sound.midi.spi.SoundbankReader; import javax.sound.midi.spi.MidiDeviceProvider; +import javax.sound.midi.Receiver; +import javax.sound.midi.Sequencer; +import javax.sound.midi.Synthesizer; +import javax.sound.midi.Transmitter; +import javax.sound.sampled.Clip; +import javax.sound.sampled.Port; +import javax.sound.sampled.SourceDataLine; +import javax.sound.sampled.TargetDataLine; + /** * JDK13Services uses the Service class in JDK 1.3 @@ -186,6 +195,16 @@ If the property is not set, null is returned. */ private static synchronized String getDefaultProvider(Class typeClass) { + if (!SourceDataLine.class.equals(typeClass) + && !TargetDataLine.class.equals(typeClass) + && !Clip.class.equals(typeClass) + && !Port.class.equals(typeClass) + && !Receiver.class.equals(typeClass) + && !Transmitter.class.equals(typeClass) + && !Synthesizer.class.equals(typeClass) + && !Sequencer.class.equals(typeClass)) { + return null; + } String value; String propertyName = typeClass.getName(); value = JSSecurityManager.getProperty(propertyName);