6686215: Some mutables not defensively copied when deserializing java.security.CodeSource & Timestamp objects
Reviewed-by: mullan
--- a/jdk/src/share/classes/java/security/CodeSource.java Mon Mar 14 09:05:06 2011 -0700
+++ b/jdk/src/share/classes/java/security/CodeSource.java Mon Mar 14 17:50:52 2011 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -578,7 +578,7 @@
// Deserialize array of code signers (if any)
try {
- this.signers = (CodeSigner[])ois.readObject();
+ this.signers = ((CodeSigner[])ois.readObject()).clone();
} catch (IOException ioe) {
// no signers present
}
--- a/jdk/src/share/classes/java/security/Timestamp.java Mon Mar 14 09:05:06 2011 -0700
+++ b/jdk/src/share/classes/java/security/Timestamp.java Mon Mar 14 17:50:52 2011 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -157,7 +157,8 @@
// Explicitly reset hash code value to -1
private void readObject(ObjectInputStream ois)
throws IOException, ClassNotFoundException {
- ois.defaultReadObject();
- myhash = -1;
+ ois.defaultReadObject();
+ myhash = -1;
+ timestamp = new Date(timestamp.getTime());
}
}