8008615: Improve robustness of JMX internal APIs
Reviewed-by: dfuchs, skoivu, dholmes
This commit is contained in:
Shanliang Jiang
parent
fb31c370c7
commit
62573eeab1
@ -30,7 +30,7 @@ import java.io.IOException;
|
|||||||
import java.io.InputStream;
|
import java.io.InputStream;
|
||||||
import java.io.ObjectInputStream;
|
import java.io.ObjectInputStream;
|
||||||
import java.io.ObjectStreamClass;
|
import java.io.ObjectStreamClass;
|
||||||
import java.io.StreamCorruptedException;
|
import sun.reflect.misc.ReflectUtil;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This class deserializes an object in the context of a specific class loader.
|
* This class deserializes an object in the context of a specific class loader.
|
||||||
@ -61,6 +61,7 @@ class ObjectInputStreamWithLoader extends ObjectInputStream {
|
|||||||
return super.resolveClass(aClass);
|
return super.resolveClass(aClass);
|
||||||
} else {
|
} else {
|
||||||
String name = aClass.getName();
|
String name = aClass.getName();
|
||||||
|
ReflectUtil.checkPackageAccess(name);
|
||||||
// Query the class loader ...
|
// Query the class loader ...
|
||||||
return Class.forName(name, false, loader);
|
return Class.forName(name, false, loader);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -34,6 +34,7 @@ import java.security.Permission;
|
|||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.logging.Level;
|
import java.util.logging.Level;
|
||||||
import javax.management.loading.ClassLoaderRepository;
|
import javax.management.loading.ClassLoaderRepository;
|
||||||
|
import sun.reflect.misc.ReflectUtil;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -446,7 +447,7 @@ public class MBeanServerFactory {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// No context class loader? Try with Class.forName()
|
// No context class loader? Try with Class.forName()
|
||||||
return Class.forName(builderClassName);
|
return ReflectUtil.forName(builderClassName);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@ -103,6 +103,7 @@ import javax.naming.InitialContext;
|
|||||||
import javax.naming.NamingException;
|
import javax.naming.NamingException;
|
||||||
import javax.rmi.ssl.SslRMIClientSocketFactory;
|
import javax.rmi.ssl.SslRMIClientSocketFactory;
|
||||||
import javax.security.auth.Subject;
|
import javax.security.auth.Subject;
|
||||||
|
import sun.reflect.misc.ReflectUtil;
|
||||||
import sun.rmi.server.UnicastRef2;
|
import sun.rmi.server.UnicastRef2;
|
||||||
import sun.rmi.transport.LiveRef;
|
import sun.rmi.transport.LiveRef;
|
||||||
|
|
||||||
@ -2002,7 +2003,9 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable
|
|||||||
@Override
|
@Override
|
||||||
protected Class<?> resolveClass(ObjectStreamClass classDesc)
|
protected Class<?> resolveClass(ObjectStreamClass classDesc)
|
||||||
throws IOException, ClassNotFoundException {
|
throws IOException, ClassNotFoundException {
|
||||||
return Class.forName(classDesc.getName(), false, loader);
|
String name = classDesc.getName();
|
||||||
|
ReflectUtil.checkPackageAccess(name);
|
||||||
|
return Class.forName(name, false, loader);
|
||||||
}
|
}
|
||||||
|
|
||||||
private final ClassLoader loader;
|
private final ClassLoader loader;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user