Merge
authoramurillo
Thu, 21 Jul 2016 17:14:44 +0000
changeset 39786 b8b5fb06fb1a
parent 39783 c3365f0d4a43 (current diff)
parent 39785 a774841b7692 (diff)
child 39787 f92c7b26dcf5
Merge
--- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/activation/ORBD.java	Thu Jul 21 16:42:57 2016 +0000
+++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/activation/ORBD.java	Thu Jul 21 17:14:44 2016 +0000
@@ -1,5 +1,4 @@
 /*
- *
  * Copyright (c) 1997, 2004, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -22,7 +21,6 @@
  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  * or visit www.oracle.com if you need additional information or have any
  * questions.
- *
  */
 
 package com.sun.corba.se.impl.activation;
--- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orbutil/ORBUtility.java	Thu Jul 21 16:42:57 2016 +0000
+++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orbutil/ORBUtility.java	Thu Jul 21 17:14:44 2016 +0000
@@ -34,21 +34,13 @@
 import java.security.Policy;
 import java.security.PrivilegedAction;
 import java.security.ProtectionDomain;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Map;
-import java.util.List;
-import java.util.ListIterator;
-import java.util.Set;
-import java.util.Map.Entry;
-import java.util.Collection;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Hashtable;
 import java.util.Iterator;
 import java.util.Enumeration;
-import java.util.Properties;
-import java.util.IdentityHashMap;
 import java.util.StringTokenizer;
 import java.util.NoSuchElementException;
 
@@ -165,8 +157,18 @@
      * Return default ValueHandler
      */
     public static ValueHandler createValueHandler() {
+        ValueHandler vh;
+        try {
+            vh = AccessController.doPrivileged(new PrivilegedExceptionAction<ValueHandler>() {
+                public ValueHandler run() throws Exception {
         return Util.createValueHandler();
     }
+            });
+        } catch (PrivilegedActionException e) {
+            throw new InternalError(e.getCause());
+        }
+        return vh;
+    }
 
     /**
      * Returns true if it was accurately determined that the remote ORB is
@@ -664,7 +666,16 @@
      * ValueHandler.
      */
     public static byte getMaxStreamFormatVersion() {
-        ValueHandler vh = Util.createValueHandler();
+        ValueHandler vh;
+        try {
+            vh = AccessController.doPrivileged(new PrivilegedExceptionAction<ValueHandler>() {
+                public ValueHandler run() throws Exception {
+                    return Util.createValueHandler();
+                }
+            });
+        } catch (PrivilegedActionException e) {
+            throw new InternalError(e.getCause());
+        }
 
         if (!(vh instanceof javax.rmi.CORBA.ValueHandlerMultiFormat))
             return ORBConstants.STREAM_FORMAT_VERSION_1;
--- a/corba/src/java.corba/share/classes/javax/rmi/CORBA/Util.java	Thu Jul 21 16:42:57 2016 +0000
+++ b/corba/src/java.corba/share/classes/javax/rmi/CORBA/Util.java	Thu Jul 21 17:14:44 2016 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -45,6 +45,7 @@
 import java.rmi.Remote;
 import java.io.File;
 import java.io.FileInputStream;
+import java.io.SerializablePermission;
 import java.net.MalformedURLException ;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
@@ -195,6 +196,8 @@
      */
     public static ValueHandler createValueHandler() {
 
+        isCustomSerializationPermitted();
+
         if (utilDelegate != null) {
             return utilDelegate.createValueHandler();
         }
@@ -337,6 +340,7 @@
     // security reasons. If you know a better solution how to share this code
     // then remove it from PortableRemoteObject. Also in Stub.java
     private static Object createDelegate(String classKey) {
+
         String className = (String)
             AccessController.doPrivileged(new GetPropertyAction(classKey));
         if (className == null) {
@@ -345,7 +349,6 @@
                 className = props.getProperty(classKey);
             }
         }
-
         if (className == null) {
             return new com.sun.corba.se.impl.javax.rmi.CORBA.Util();
         }
@@ -389,4 +392,14 @@
             new GetORBPropertiesFileAction());
     }
 
+    private static void isCustomSerializationPermitted() {
+        SecurityManager sm = System.getSecurityManager();
+        if ( sm != null) {
+            // check that a serialization permission has been
+            // set to allow the loading of the Util delegate
+            // which provides access to custom ValueHandler
+            sm.checkPermission(new SerializablePermission(
+                    "enableCustomValueHandler"));
 }
+    }
+}