stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8344217: Remove calls to SecurityManager and doPrivileged in java.net.DatagramSocket and java.net.NetMulticastSocket after JEP 486 integration

Browse Source 
Reviewed-by: alanb, rriggs, jpai
This commit is contained in:
Daniel Fuchs 2024-11-25 10:08:47 +00:00
parent d112f35d92
commit 519bb268a0
2 changed files with 11 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/java.base/share/classes/java/net/DatagramSocket.java
View File

@ -387,14 +387,9 @@ public class DatagramSocket implements java.io.Closeable {
* this socket is unknown - it may or may not be connected to the address * this socket is unknown - it may or may not be connected to the address
* that it was previously connected to. * that it was previously connected to.
* *
* <p> Care should be taken to ensure that a connected datagram socket * <p> When the socket is connected, the send method checks that the
* is not shared with untrusted code. When a socket is connected, * packet's address matches the remote address that the socket is
* {@link #receive receive} and {@link #send send} <b>will not perform * connected to. A socket connected to a multicast address may only
* any security checks</b> on incoming and outgoing packets, other than
* matching the packet's and the socket's address and port. On a send
* operation, if the packet's address is set and the packet's address
* and the socket's address do not match, an {@code IllegalArgumentException}
* will be thrown. A socket connected to a multicast address may only
* be used to send packets. Datagrams in the socket's {@linkplain * be used to send packets. Datagrams in the socket's {@linkplain
* java.net.StandardSocketOptions#SO_RCVBUF socket receive buffer}, which * java.net.StandardSocketOptions#SO_RCVBUF socket receive buffer}, which
* have not been {@linkplain #receive(DatagramPacket) received} before invoking * have not been {@linkplain #receive(DatagramPacket) received} before invoking
@ -1087,11 +1082,6 @@ public class DatagramSocket implements java.io.Closeable {
if (factory != null) { if (factory != null) {
throw new SocketException("factory already defined"); throw new SocketException("factory already defined");
} }
@SuppressWarnings("removal")
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkSetFactory();
}
factory = fac; factory = fac;
} }

114
src/java.base/share/classes/java/net/NetMulticastSocket.java
View File

@ -27,9 +27,6 @@ package java.net;
import java.io.IOException; import java.io.IOException;
import java.io.UncheckedIOException; import java.io.UncheckedIOException;
import java.nio.channels.DatagramChannel;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import java.util.Enumeration; import java.util.Enumeration;
import java.util.Objects; import java.util.Objects;
import java.util.Set; import java.util.Set;
@ -110,16 +107,6 @@ final class NetMulticastSocket extends MulticastSocket {
checkAddress(address, "connect"); checkAddress(address, "connect");
if (isClosed()) if (isClosed())
return; return;
@SuppressWarnings("removal")
SecurityManager security = System.getSecurityManager();
if (security != null) {
if (address.isMulticastAddress()) {
security.checkMulticast(address);
} else {
security.checkConnect(address.getHostAddress(), port);
security.checkAccept(address.getHostAddress(), port);
}
}
if (port == 0) { if (port == 0) {
throw new SocketException("Can't connect to port 0"); throw new SocketException("Can't connect to port 0");
@ -181,11 +168,7 @@ final class NetMulticastSocket extends MulticastSocket {
InetAddress iaddr = epoint.getAddress(); InetAddress iaddr = epoint.getAddress();
int port = epoint.getPort(); int port = epoint.getPort();
checkAddress(iaddr, "bind"); checkAddress(iaddr, "bind");
@SuppressWarnings("removal")
SecurityManager sec = System.getSecurityManager();
if (sec != null) {
sec.checkListen(port);
}
try { try {
getImpl().bind(port, iaddr); getImpl().bind(port, iaddr);
} catch (SocketException e) { } catch (SocketException e) {
@ -289,22 +272,7 @@ final class NetMulticastSocket extends MulticastSocket {
} }
if (packetPort < 0 || packetPort > 0xFFFF) if (packetPort < 0 || packetPort > 0xFFFF)
throw new IllegalArgumentException("port out of range: " + packetPort); throw new IllegalArgumentException("port out of range: " + packetPort);
// check the address is ok with the security manager on every send.
@SuppressWarnings("removal")
SecurityManager security = System.getSecurityManager();
// The reason you want to synchronize on datagram packet
// is because you don't want an applet to change the address
// while you are trying to send the packet for example
// after the security check but before the send.
if (security != null) {
if (packetAddress.isMulticastAddress()) {
security.checkMulticast(packetAddress);
} else {
security.checkConnect(packetAddress.getHostAddress(),
packetPort);
}
}
if (packetPort == 0) { if (packetPort == 0) {
throw new SocketException("Can't send to port 0"); throw new SocketException("Can't send to port 0");
} }
@ -333,41 +301,13 @@ final class NetMulticastSocket extends MulticastSocket {
synchronized (p) { synchronized (p) {
if (!isBound()) if (!isBound())
bind(new InetSocketAddress(0)); bind(new InetSocketAddress(0));
if (connectState == ST_NOT_CONNECTED) {
// check the address is ok with the security manager before every recv.
@SuppressWarnings("removal")
SecurityManager security = System.getSecurityManager();
if (security != null) {
while (true) {
int peekPort = 0;
// peek at the packet to see who it is from.
DatagramPacket peekPacket = new DatagramPacket(new byte[1], 1);
peekPort = getImpl().peekData(peekPacket);
String peekAd = peekPacket.getAddress().getHostAddress();
try {
security.checkAccept(peekAd, peekPort);
// security check succeeded - so now break
// and recv the packet.
break;
} catch (SecurityException se) {
// Throw away the offending packet by consuming
// it in a tmp buffer.
DatagramPacket tmp = new DatagramPacket(new byte[1], 1);
getImpl().receive(tmp);
// silently discard the offending packet
// and continue: unknown/malicious
// entities on nets should not make
// runtime throw security exception and
// disrupt the applet by sending random
// datagram packets.
continue;
}
} // end of while
}
}
DatagramPacket tmp = null; DatagramPacket tmp = null;
// explicitFilter may be set to 'true' at connect() time and will
// be set to 'false' in disconnect() - or when there's no more
// pending packets to filter. If explicitFilter is true,
// it means we're connected.
if (explicitFilter) { if (explicitFilter) {
assert connectState == ST_CONNECTED;
// We have to do the filtering the old fashioned way since // We have to do the filtering the old fashioned way since
// the native impl doesn't support connect or the connect // the native impl doesn't support connect or the connect
// via the impl failed, or .. "explicitFilter" may be set when // via the impl failed, or .. "explicitFilter" may be set when
@ -394,8 +334,7 @@ final class NetMulticastSocket extends MulticastSocket {
} }
} }
} }
// If the security check succeeds, or the datagram is // receive the packet
// connected then receive the packet
getImpl().receive(p); getImpl().receive(p);
if (explicitFilter && tmp == null) { if (explicitFilter && tmp == null) {
// packet was not filtered, account for it here // packet was not filtered, account for it here
@ -423,11 +362,6 @@ final class NetMulticastSocket extends MulticastSocket {
if (in.isAnyLocalAddress()) { if (in.isAnyLocalAddress()) {
in = InetAddress.anyLocalAddress(); in = InetAddress.anyLocalAddress();
} }
@SuppressWarnings("removal")
SecurityManager s = System.getSecurityManager();
if (s != null) {
s.checkConnect(in.getHostAddress(), -1);
}
} catch (Exception e) { } catch (Exception e) {
in = InetAddress.anyLocalAddress(); // "0.0.0.0" in = InetAddress.anyLocalAddress(); // "0.0.0.0"
} }
@ -691,11 +625,6 @@ final class NetMulticastSocket extends MulticastSocket {
} }
checkAddress(mcastaddr, "joinGroup"); checkAddress(mcastaddr, "joinGroup");
@SuppressWarnings("removal")
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkMulticast(mcastaddr);
}
if (!mcastaddr.isMulticastAddress()) { if (!mcastaddr.isMulticastAddress()) {
throw new SocketException("Not a multicast address"); throw new SocketException("Not a multicast address");
@ -722,11 +651,6 @@ final class NetMulticastSocket extends MulticastSocket {
} }
checkAddress(mcastaddr, "leaveGroup"); checkAddress(mcastaddr, "leaveGroup");
@SuppressWarnings("removal")
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkMulticast(mcastaddr);
}
if (!mcastaddr.isMulticastAddress()) { if (!mcastaddr.isMulticastAddress()) {
throw new SocketException("Not a multicast address"); throw new SocketException("Not a multicast address");
@ -745,11 +669,6 @@ final class NetMulticastSocket extends MulticastSocket {
throw new IllegalArgumentException("Unsupported address type"); throw new IllegalArgumentException("Unsupported address type");
checkAddress(addr.getAddress(), "joinGroup"); checkAddress(addr.getAddress(), "joinGroup");
@SuppressWarnings("removal")
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkMulticast(addr.getAddress());
}
if (!addr.getAddress().isMulticastAddress()) { if (!addr.getAddress().isMulticastAddress()) {
throw new SocketException("Not a multicast address"); throw new SocketException("Not a multicast address");
@ -768,11 +687,6 @@ final class NetMulticastSocket extends MulticastSocket {
throw new IllegalArgumentException("Unsupported address type"); throw new IllegalArgumentException("Unsupported address type");
checkAddress(addr.getAddress(), "leaveGroup"); checkAddress(addr.getAddress(), "leaveGroup");
@SuppressWarnings("removal")
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkMulticast(addr.getAddress());
}
if (!addr.getAddress().isMulticastAddress()) { if (!addr.getAddress().isMulticastAddress()) {
throw new SocketException("Not a multicast address"); throw new SocketException("Not a multicast address");
@ -893,22 +807,10 @@ final class NetMulticastSocket extends MulticastSocket {
synchronized(p) { synchronized(p) {
InetAddress packetAddress = p.getAddress(); InetAddress packetAddress = p.getAddress();
checkAddress(packetAddress, "send"); checkAddress(packetAddress, "send");
if (connectState == NetMulticastSocket.ST_NOT_CONNECTED) { if (connectState == ST_NOT_CONNECTED) {
if (packetAddress == null) { if (packetAddress == null) {
throw new IllegalArgumentException("Address not set"); throw new IllegalArgumentException("Address not set");
} }
// Security manager makes sure that the multicast address
// is allowed one and that the ttl used is less
// than the allowed maxttl.
SecurityManager security = System.getSecurityManager();
if (security != null) {
if (packetAddress.isMulticastAddress()) {
security.checkMulticast(packetAddress, ttl);
} else {
security.checkConnect(packetAddress.getHostAddress(),
p.getPort());
}
}
} else { } else {
// we're connected // we're connected
if (packetAddress == null) { if (packetAddress == null) {