8008615: Improve robustness of JMX internal APIs

Reviewed-by: dfuchs, skoivu, dholmes
2013-03-26 08:32:16 +01:00 · 2013-03-26 08:32:16 +01:00 · 62573eeab1
commit 62573eeab1
parent fb31c370c7
3 changed files with 8 additions and 3 deletions
--- a/jdk/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java
+++ b/jdk/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java
@ -30,7 +30,7 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.io.ObjectStreamClass;
-import java.io.StreamCorruptedException;
+import sun.reflect.misc.ReflectUtil;

 /**
 * This class deserializes an object in the context of a specific class loader.
@ -61,6 +61,7 @@ class ObjectInputStreamWithLoader extends ObjectInputStream {
            return super.resolveClass(aClass);
        } else {
            String name = aClass.getName();
+            ReflectUtil.checkPackageAccess(name);
            // Query the class loader ...
            return Class.forName(name, false, loader);
        }
--- a/jdk/src/share/classes/javax/management/MBeanServerFactory.java
+++ b/jdk/src/share/classes/javax/management/MBeanServerFactory.java
@ -34,6 +34,7 @@ import java.security.Permission;
 import java.util.ArrayList;
 import java.util.logging.Level;
 import javax.management.loading.ClassLoaderRepository;
+import sun.reflect.misc.ReflectUtil;


 /**
@ -446,7 +447,7 @@ public class MBeanServerFactory {
        }

        // No context class loader? Try with Class.forName()
-        return Class.forName(builderClassName);
+        return ReflectUtil.forName(builderClassName);
    }

    /**
--- a/jdk/src/share/classes/javax/management/remote/rmi/RMIConnector.java
+++ b/jdk/src/share/classes/javax/management/remote/rmi/RMIConnector.java
@ -103,6 +103,7 @@ import javax.naming.InitialContext;
 import javax.naming.NamingException;
 import javax.rmi.ssl.SslRMIClientSocketFactory;
 import javax.security.auth.Subject;
+import sun.reflect.misc.ReflectUtil;
 import sun.rmi.server.UnicastRef2;
 import sun.rmi.transport.LiveRef;

@ -2002,7 +2003,9 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable
        @Override
        protected Class<?> resolveClass(ObjectStreamClass classDesc)
                throws IOException, ClassNotFoundException {
-            return Class.forName(classDesc.getName(), false, loader);
+            String name = classDesc.getName();
+            ReflectUtil.checkPackageAccess(name);
+            return Class.forName(name, false, loader);
        }

        private final ClassLoader loader;