7162473: ConstructorFinder/FieldFinder/MethodFinder gives access to restricted classes
Reviewed-by: art, ahgross
--- a/jdk/src/share/classes/com/sun/beans/finder/ConstructorFinder.java Wed Jul 05 18:20:34 2017 +0200
+++ b/jdk/src/share/classes/com/sun/beans/finder/ConstructorFinder.java Fri Jun 15 21:01:55 2012 +0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,8 @@
import java.lang.reflect.Constructor;
import java.lang.reflect.Modifier;
+import static sun.reflect.misc.ReflectUtil.isPackageAccessible;
+
/**
* This utility class provides {@code static} methods
* to find a public constructor with specified parameter types
@@ -61,7 +63,7 @@
if (Modifier.isAbstract(type.getModifiers())) {
throw new NoSuchMethodException("Abstract class cannot be instantiated");
}
- if (!Modifier.isPublic(type.getModifiers())) {
+ if (!Modifier.isPublic(type.getModifiers()) || !isPackageAccessible(type)) {
throw new NoSuchMethodException("Class is not accessible");
}
PrimitiveWrapperMap.replacePrimitivesWithWrappers(args);
--- a/jdk/src/share/classes/com/sun/beans/finder/FieldFinder.java Wed Jul 05 18:20:34 2017 +0200
+++ b/jdk/src/share/classes/com/sun/beans/finder/FieldFinder.java Fri Jun 15 21:01:55 2012 +0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,8 @@
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
+import static sun.reflect.misc.ReflectUtil.isPackageAccessible;
+
/**
* This utility class provides {@code static} methods
* to find a public field with specified name
@@ -56,7 +58,8 @@
if (!Modifier.isPublic(field.getModifiers())) {
throw new NoSuchFieldException("Field '" + name + "' is not public");
}
- if (!Modifier.isPublic(field.getDeclaringClass().getModifiers())) {
+ type = field.getDeclaringClass();
+ if (!Modifier.isPublic(type.getModifiers()) || !isPackageAccessible(type)) {
throw new NoSuchFieldException("Field '" + name + "' is not accessible");
}
return field;
--- a/jdk/src/share/classes/com/sun/beans/finder/MethodFinder.java Wed Jul 05 18:20:34 2017 +0200
+++ b/jdk/src/share/classes/com/sun/beans/finder/MethodFinder.java Fri Jun 15 21:01:55 2012 +0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -33,6 +33,8 @@
import java.lang.reflect.Type;
import java.util.Arrays;
+import static sun.reflect.misc.ReflectUtil.isPackageAccessible;
+
/**
* This utility class provides {@code static} methods
* to find a public method with specified name and parameter types
@@ -120,7 +122,7 @@
*/
public static Method findAccessibleMethod(Method method) throws NoSuchMethodException {
Class<?> type = method.getDeclaringClass();
- if (Modifier.isPublic(type.getModifiers())) {
+ if (Modifier.isPublic(type.getModifiers()) && isPackageAccessible(type)) {
return method;
}
if (Modifier.isStatic(method.getModifiers())) {