6904691: Java Applet Trusted Methods Chaining Privilege Escalation Vulnerability
Reviewed-by: hawtin, peterz
--- a/jdk/src/share/classes/java/beans/EventHandler.java Fri Dec 18 09:09:12 2009 -0500
+++ b/jdk/src/share/classes/java/beans/EventHandler.java Tue Dec 22 17:56:58 2009 +0300
@@ -32,7 +32,6 @@
import java.security.AccessController;
import java.security.PrivilegedAction;
-import java.util.EventObject;
import sun.reflect.misc.MethodUtil;
/**
@@ -279,9 +278,9 @@
public class EventHandler implements InvocationHandler {
private Object target;
private String action;
- private String eventPropertyName;
- private String listenerMethodName;
- private AccessControlContext acc;
+ private final String eventPropertyName;
+ private final String listenerMethodName;
+ private final AccessControlContext acc = AccessController.getContext();
/**
* Creates a new <code>EventHandler</code> object;
@@ -310,7 +309,6 @@
*/
@ConstructorProperties({"target", "action", "eventPropertyName", "listenerMethodName"})
public EventHandler(Object target, String action, String eventPropertyName, String listenerMethodName) {
- this.acc = AccessController.getContext();
this.target = target;
this.action = action;
if (target == null) {
@@ -422,7 +420,11 @@
* @see EventHandler
*/
public Object invoke(final Object proxy, final Method method, final Object[] arguments) {
- return AccessController.doPrivileged(new PrivilegedAction() {
+ AccessControlContext acc = this.acc;
+ if ((acc == null) && (System.getSecurityManager() != null)) {
+ throw new SecurityException("AccessControlContext is not set");
+ }
+ return AccessController.doPrivileged(new PrivilegedAction<Object>() {
public Object run() {
return invokeInternal(proxy, method, arguments);
}
@@ -482,7 +484,10 @@
throw new RuntimeException(ex);
}
catch (InvocationTargetException ex) {
- throw new RuntimeException(ex.getTargetException());
+ Throwable th = ex.getTargetException();
+ throw (th instanceof RuntimeException)
+ ? (RuntimeException) th
+ : new RuntimeException(th);
}
}
return null;
--- a/jdk/src/share/classes/java/beans/Statement.java Fri Dec 18 09:09:12 2009 -0500
+++ b/jdk/src/share/classes/java/beans/Statement.java Tue Dec 22 17:56:58 2009 +0300
@@ -29,6 +29,10 @@
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
import com.sun.beans.finder.ClassFinder;
import com.sun.beans.finder.ConstructorFinder;
@@ -63,9 +67,10 @@
}
};
- Object target;
- String methodName;
- Object[] arguments;
+ private final AccessControlContext acc = AccessController.getContext();
+ private final Object target;
+ private final String methodName;
+ private final Object[] arguments;
ClassLoader loader;
/**
@@ -145,6 +150,26 @@
}
Object invoke() throws Exception {
+ AccessControlContext acc = this.acc;
+ if ((acc == null) && (System.getSecurityManager() != null)) {
+ throw new SecurityException("AccessControlContext is not set");
+ }
+ try {
+ return AccessController.doPrivileged(
+ new PrivilegedExceptionAction<Object>() {
+ public Object run() throws Exception {
+ return invokeInternal();
+ }
+ },
+ acc
+ );
+ }
+ catch (PrivilegedActionException exception) {
+ throw exception.getException();
+ }
+ }
+
+ private Object invokeInternal() throws Exception {
Object target = getTarget();
String methodName = getMethodName();
--- a/jdk/test/java/beans/EventHandler/Test6277246.java Fri Dec 18 09:09:12 2009 -0500
+++ b/jdk/test/java/beans/EventHandler/Test6277246.java Tue Dec 22 17:56:58 2009 +0300
@@ -1,5 +1,5 @@
/*
- * Copyright 2005-2007 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -49,10 +49,10 @@
catch (NoSuchMethodException exception) {
throw new Error("unexpected exception", exception);
}
+ catch (SecurityException exception) {
+ // expected security exception
+ }
catch (RuntimeException exception) {
- if (exception.getCause() instanceof SecurityException) {
- return; // expected security exception
- }
throw new Error("unexpected exception", exception);
}
}
--- a/jdk/test/java/beans/EventHandler/Test6277266.java Fri Dec 18 09:09:12 2009 -0500
+++ b/jdk/test/java/beans/EventHandler/Test6277266.java Tue Dec 22 17:56:58 2009 +0300
@@ -1,5 +1,5 @@
/*
- * Copyright 2005-2007 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -51,7 +51,7 @@
);
throw new Error("SecurityException expected");
} catch (InvocationTargetException exception) {
- if (exception.getCause().getCause() instanceof SecurityException){
+ if (exception.getCause() instanceof SecurityException){
return; // expected security exception
}
throw new Error("unexpected exception", exception);