diff --git a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/activation/ORBD.java b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/activation/ORBD.java index bb08fd7c77c..6a3fd5ca305 100644 --- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/activation/ORBD.java +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/activation/ORBD.java @@ -1,5 +1,4 @@ /* - * * Copyright (c) 1997, 2004, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * @@ -22,7 +21,6 @@ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. - * */ package com.sun.corba.se.impl.activation; diff --git a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orbutil/ORBUtility.java b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orbutil/ORBUtility.java index 41dba4d9489..a368ee9d30e 100644 --- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orbutil/ORBUtility.java +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orbutil/ORBUtility.java @@ -34,21 +34,13 @@ import java.security.PermissionCollection; import java.security.Policy; import java.security.PrivilegedAction; import java.security.ProtectionDomain; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Map; -import java.util.List; -import java.util.ListIterator; -import java.util.Set; -import java.util.Map.Entry; -import java.util.Collection; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; import java.util.HashMap; import java.util.HashSet; import java.util.Hashtable; import java.util.Iterator; import java.util.Enumeration; -import java.util.Properties; -import java.util.IdentityHashMap; import java.util.StringTokenizer; import java.util.NoSuchElementException; @@ -165,8 +157,18 @@ public final class ORBUtility { * Return default ValueHandler */ public static ValueHandler createValueHandler() { + ValueHandler vh; + try { + vh = AccessController.doPrivileged(new PrivilegedExceptionAction() { + public ValueHandler run() throws Exception { return Util.createValueHandler(); } + }); + } catch (PrivilegedActionException e) { + throw new InternalError(e.getCause()); + } + return vh; + } /** * Returns true if it was accurately determined that the remote ORB is @@ -664,7 +666,16 @@ public final class ORBUtility { * ValueHandler. */ public static byte getMaxStreamFormatVersion() { - ValueHandler vh = Util.createValueHandler(); + ValueHandler vh; + try { + vh = AccessController.doPrivileged(new PrivilegedExceptionAction() { + public ValueHandler run() throws Exception { + return Util.createValueHandler(); + } + }); + } catch (PrivilegedActionException e) { + throw new InternalError(e.getCause()); + } if (!(vh instanceof javax.rmi.CORBA.ValueHandlerMultiFormat)) return ORBConstants.STREAM_FORMAT_VERSION_1; diff --git a/corba/src/java.corba/share/classes/javax/rmi/CORBA/Util.java b/corba/src/java.corba/share/classes/javax/rmi/CORBA/Util.java index b8473ce31e7..03a40734ed2 100644 --- a/corba/src/java.corba/share/classes/javax/rmi/CORBA/Util.java +++ b/corba/src/java.corba/share/classes/javax/rmi/CORBA/Util.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -45,6 +45,7 @@ import javax.rmi.CORBA.Tie; import java.rmi.Remote; import java.io.File; import java.io.FileInputStream; +import java.io.SerializablePermission; import java.net.MalformedURLException ; import java.security.AccessController; import java.security.PrivilegedAction; @@ -195,6 +196,8 @@ public class Util { */ public static ValueHandler createValueHandler() { + isCustomSerializationPermitted(); + if (utilDelegate != null) { return utilDelegate.createValueHandler(); } @@ -337,6 +340,7 @@ public class Util { // security reasons. If you know a better solution how to share this code // then remove it from PortableRemoteObject. Also in Stub.java private static Object createDelegate(String classKey) { + String className = (String) AccessController.doPrivileged(new GetPropertyAction(classKey)); if (className == null) { @@ -345,7 +349,6 @@ public class Util { className = props.getProperty(classKey); } } - if (className == null) { return new com.sun.corba.se.impl.javax.rmi.CORBA.Util(); } @@ -389,4 +392,14 @@ public class Util { new GetORBPropertiesFileAction()); } + private static void isCustomSerializationPermitted() { + SecurityManager sm = System.getSecurityManager(); + if ( sm != null) { + // check that a serialization permission has been + // set to allow the loading of the Util delegate + // which provides access to custom ValueHandler + sm.checkPermission(new SerializablePermission( + "enableCustomValueHandler")); +} + } }