--- a/jdk/src/share/classes/java/io/ObjectInputStream.java Wed Feb 27 14:17:05 2013 -0800
+++ b/jdk/src/share/classes/java/io/ObjectInputStream.java Thu Mar 14 13:10:32 2013 +0100
@@ -41,6 +41,7 @@
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.atomic.AtomicBoolean;
import static java.io.ObjectStreamClass.processQueue;
+import sun.reflect.misc.ReflectUtil;
/**
* An ObjectInputStream deserializes primitive data and objects previously
@@ -1519,6 +1520,12 @@
}
}
+ private boolean isCustomSubclass() {
+ // Return true if this class is a custom subclass of ObjectInputStream
+ return getClass().getClassLoader()
+ != ObjectInputStream.class.getClassLoader();
+ }
+
/**
* Reads in and returns class descriptor for a dynamic proxy class. Sets
* passHandle to proxy class descriptor's assigned handle. If proxy class
@@ -1548,6 +1555,15 @@
try {
if ((cl = resolveProxyClass(ifaces)) == null) {
resolveEx = new ClassNotFoundException("null class");
+ } else if (!Proxy.isProxyClass(cl)) {
+ throw new InvalidClassException("Not a proxy");
+ } else {
+ // ReflectUtil.checkProxyPackageAccess makes a test
+ // equivalent to isCustomSubclass so there's no need
+ // to condition this call to isCustomSubclass == true here.
+ ReflectUtil.checkProxyPackageAccess(
+ getClass().getClassLoader(),
+ cl.getInterfaces());
}
} catch (ClassNotFoundException ex) {
resolveEx = ex;
@@ -1589,9 +1605,12 @@
Class<?> cl = null;
ClassNotFoundException resolveEx = null;
bin.setBlockDataMode(true);
+ final boolean checksRequired = isCustomSubclass();
try {
if ((cl = resolveClass(readDesc)) == null) {
resolveEx = new ClassNotFoundException("null class");
+ } else if (checksRequired) {
+ ReflectUtil.checkPackageAccess(cl);
}
} catch (ClassNotFoundException ex) {
resolveEx = ex;