8055206: Update SecurityManager::checkPackageAccess to restrict non-exported JDK packages by default
Reviewed-by: mchung
--- a/jaxp/src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesImpl.java Wed Jul 05 22:42:09 2017 +0200
+++ b/jaxp/src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesImpl.java Thu Jan 19 13:48:49 2017 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
*/
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
@@ -37,6 +37,7 @@
import java.io.ObjectOutputStream;
import java.io.ObjectStreamField;
import java.io.Serializable;
+import java.lang.RuntimePermission;
import java.lang.module.Configuration;
import java.lang.module.ModuleDescriptor;
import java.lang.module.ModuleFinder;
@@ -45,7 +46,11 @@
import java.lang.reflect.Layer;
import java.lang.reflect.Module;
import java.security.AccessController;
+import java.security.CodeSigner;
+import java.security.CodeSource;
+import java.security.PermissionCollection;
import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
@@ -177,6 +182,7 @@
_loadedExternalExtensionFunctions = mapEF;
}
+ @Override
public Class<?> loadClass(String name) throws ClassNotFoundException {
Class<?> ret = null;
// The _loadedExternalExtensionFunctions will be empty when the
@@ -196,6 +202,10 @@
Class defineClass(final byte[] b) {
return defineClass(null, b, 0, b.length);
}
+
+ Class defineClass(final byte[] b, ProtectionDomain pd) {
+ return defineClass(null, b, 0, b.length, pd);
+ }
}
@@ -482,16 +492,24 @@
// the module needs access to runtime classes
Module thisModule = TemplatesImpl.class.getModule();
-
+ // the module also needs permission to access each package
+ // that is exported to it
+ PermissionCollection perms =
+ new RuntimePermission("*").newPermissionCollection();
Arrays.asList(Constants.PKGS_USED_BY_TRANSLET_CLASSES).forEach(p -> {
thisModule.addExports(p, m);
+ perms.add(new RuntimePermission("accessClassInPackage." + p));
});
- // java.xml needs to instanitate the translet class
+ CodeSource codeSource = new CodeSource(null, (CodeSigner[])null);
+ ProtectionDomain pd = new ProtectionDomain(codeSource, perms,
+ loader, null);
+
+ // java.xml needs to instantiate the translet class
thisModule.addReads(m);
for (int i = 0; i < classCount; i++) {
- _class[i] = loader.defineClass(_bytecodes[i]);
+ _class[i] = loader.defineClass(_bytecodes[i], pd);
final Class superClass = _class[i].getSuperclass();
// Check if this is the main class
--- a/jaxp/test/javax/xml/jaxp/unittest/transform/TransformerTest.java Wed Jul 05 22:42:09 2017 +0200
+++ b/jaxp/test/javax/xml/jaxp/unittest/transform/TransformerTest.java Thu Jan 19 13:48:49 2017 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
package transform;
import static jaxp.library.JAXPTestUtilities.getSystemProperty;
+import static jaxp.library.JAXPTestUtilities.tryRunWithTmpPermission;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
@@ -217,7 +218,7 @@
* @summary Test for JDK-6272879
*/
@Test
- public final void testBug6272879() throws IOException, TransformerException {
+ public final void testBug6272879() throws Exception {
final String xsl =
"<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>" + LINE_SEPARATOR +
"<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">" + LINE_SEPARATOR +
@@ -274,9 +275,11 @@
System.out.println("Result after transformation:");
System.out.println("============================");
- OutputFormat format = new OutputFormat();
- format.setIndenting(true);
- new XMLSerializer(System.out, format).serialize(document);
+ tryRunWithTmpPermission(() -> {
+ OutputFormat format = new OutputFormat();
+ format.setIndenting(true);
+ new XMLSerializer(System.out, format).serialize(document);
+ }, new RuntimePermission("accessClassInPackage.com.sun.org.apache.xml.internal.serialize"));
System.out.println();
System.out.println("Node content for element valeur2:");
@@ -529,7 +532,7 @@
}
}
- public void run() throws IOException, TransformerException {
+ public void run() throws Exception {
printSnippet("Source:", sourceXml);
printSnippet("Stylesheet:", xsl);
@@ -545,9 +548,11 @@
System.out.println("Result after transformation:");
System.out.println("============================");
- OutputFormat format = new OutputFormat();
- format.setIndenting(true);
- new XMLSerializer(System.out, format).serialize(document);
+ tryRunWithTmpPermission(() -> {
+ OutputFormat format = new OutputFormat();
+ format.setIndenting(true);
+ new XMLSerializer(System.out, format).serialize(document);
+ }, new RuntimePermission("accessClassInPackage.com.sun.org.apache.xml.internal.serialize"));
System.out.println();
checkNodeNS(document.getElementsByTagName("test1").item(0), "ns2", "ns2", null);
@@ -566,9 +571,7 @@
* definitions to reset the default namespace
*/
@Test
- public final void testBug8162598() throws IOException,
- TransformerException
- {
+ public final void testBug8162598() throws Exception {
new Test8162598().run();
}