640a2afda3
Co-authored-by: Lance Andersen <lancea@openjdk.org> Co-authored-by: Weijun Wang <weijun@openjdk.org> Reviewed-by: dholmes, alanb, dfuchs, mchung, mullan, prr
139 lines
4.3 KiB
Java
139 lines
4.3 KiB
Java
/*
|
|
* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
/* @test
|
|
* @bug 4311940
|
|
* @summary Verify that unauthorized ObjectOutputStream and ObjectInputStream
|
|
* cannot be constructed if they override security-sensitive non-final
|
|
* methods.
|
|
* @build AuditStreamSubclass
|
|
* @run main/othervm -Djava.security.manager=allow AuditStreamSubclass
|
|
*/
|
|
import java.io.*;
|
|
|
|
class GoodOOS1 extends ObjectOutputStream {
|
|
GoodOOS1(OutputStream out) throws IOException { super(out); }
|
|
}
|
|
|
|
class GoodOOS2 extends GoodOOS1 {
|
|
GoodOOS2(OutputStream out) throws IOException { super(out); }
|
|
}
|
|
|
|
class BadOOS1 extends ObjectOutputStream {
|
|
BadOOS1(OutputStream out) throws IOException { super(out); }
|
|
public PutField putFields() throws IOException { return null; }
|
|
}
|
|
|
|
class BadOOS2 extends ObjectOutputStream {
|
|
BadOOS2(OutputStream out) throws IOException { super(out); }
|
|
public void writeUnshared(Object obj) throws IOException {}
|
|
}
|
|
|
|
class BadOOS3 extends GoodOOS1 {
|
|
BadOOS3(OutputStream out) throws IOException { super(out); }
|
|
public void writeUnshared(Object obj) throws IOException {}
|
|
}
|
|
|
|
|
|
class GoodOIS1 extends ObjectInputStream {
|
|
GoodOIS1(InputStream in) throws IOException { super(in); }
|
|
}
|
|
|
|
class GoodOIS2 extends GoodOIS1 {
|
|
GoodOIS2(InputStream in) throws IOException { super(in); }
|
|
}
|
|
|
|
class BadOIS1 extends ObjectInputStream {
|
|
BadOIS1(InputStream in) throws IOException { super(in); }
|
|
public GetField readFields() throws IOException, ClassNotFoundException {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
class BadOIS2 extends ObjectInputStream {
|
|
BadOIS2(InputStream in) throws IOException { super(in); }
|
|
public Object readUnshared() throws IOException, ClassNotFoundException {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
class BadOIS3 extends GoodOIS1 {
|
|
BadOIS3(InputStream in) throws IOException { super(in); }
|
|
public Object readUnshared() throws IOException, ClassNotFoundException {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
public class AuditStreamSubclass {
|
|
public static void main(String[] args) throws Exception {
|
|
if (System.getSecurityManager() == null) {
|
|
System.setSecurityManager(new SecurityManager());
|
|
}
|
|
ByteArrayOutputStream bout = new ByteArrayOutputStream();
|
|
ObjectOutputStream oout = new ObjectOutputStream(bout);
|
|
oout.flush();
|
|
byte[] buf = bout.toByteArray();
|
|
|
|
new GoodOOS1(bout);
|
|
new GoodOOS2(bout);
|
|
new GoodOIS1(new ByteArrayInputStream(buf));
|
|
new GoodOIS2(new ByteArrayInputStream(buf));
|
|
|
|
try {
|
|
new BadOOS1(bout);
|
|
throw new Error();
|
|
} catch (SecurityException ex) {
|
|
}
|
|
|
|
try {
|
|
new BadOOS2(bout);
|
|
throw new Error();
|
|
} catch (SecurityException ex) {
|
|
}
|
|
|
|
try {
|
|
new BadOOS3(bout);
|
|
throw new Error();
|
|
} catch (SecurityException ex) {
|
|
}
|
|
|
|
try {
|
|
new BadOIS1(new ByteArrayInputStream(buf));
|
|
throw new Error();
|
|
} catch (SecurityException ex) {
|
|
}
|
|
|
|
try {
|
|
new BadOIS2(new ByteArrayInputStream(buf));
|
|
throw new Error();
|
|
} catch (SecurityException ex) {
|
|
}
|
|
|
|
try {
|
|
new BadOIS3(new ByteArrayInputStream(buf));
|
|
throw new Error();
|
|
} catch (SecurityException ex) {
|
|
}
|
|
}
|
|
}
|