1berry/openjdk
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

8012917: ObjectStreamClass and ObjectStreamField should be CallerSensitive aware

Browse Source 
Reviewed-by: mchung
This commit is contained in:
Chris Hegarty 2013-04-22 11:08:27 +01:00
parent 33204355fa
commit 93bfa98ac4
2 changed files with 9 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
jdk/src/share/classes/java/io/ObjectStreamClass.java
View File

@ -49,6 +49,8 @@ import java.util.Set;
import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap; import java.util.concurrent.ConcurrentMap;
import sun.misc.Unsafe; import sun.misc.Unsafe;
import sun.reflect.CallerSensitive;
import sun.reflect.Reflection;
import sun.reflect.ReflectionFactory; import sun.reflect.ReflectionFactory;
import sun.reflect.misc.ReflectUtil; import sun.reflect.misc.ReflectUtil;
@ -259,12 +261,13 @@ public class ObjectStreamClass implements Serializable {
* *
* @return the <code>Class</code> instance that this descriptor represents * @return the <code>Class</code> instance that this descriptor represents
*/ */
@CallerSensitive
public Class<?> forClass() { public Class<?> forClass() {
if (cl == null) { if (cl == null) {
return null; return null;
} }
ClassLoader ccl = ObjectStreamField.getCallerClassLoader(); Class<?> caller = Reflection.getCallerClass();
if (ReflectUtil.needsPackageAccessCheck(ccl, cl.getClassLoader())) { if (ReflectUtil.needsPackageAccessCheck(caller.getClassLoader(), cl.getClassLoader())) {
ReflectUtil.checkPackageAccess(cl); ReflectUtil.checkPackageAccess(cl);
} }
return cl; return cl;

24
jdk/src/share/classes/java/io/ObjectStreamField.java
View File

@ -26,6 +26,7 @@
package java.io; package java.io;
import java.lang.reflect.Field; import java.lang.reflect.Field;
import sun.reflect.CallerSensitive;
import sun.reflect.Reflection; import sun.reflect.Reflection;
import sun.reflect.misc.ReflectUtil; import sun.reflect.misc.ReflectUtil;
@ -159,32 +160,15 @@ public class ObjectStreamField
* @return a <code>Class</code> object representing the type of the * @return a <code>Class</code> object representing the type of the
* serializable field * serializable field
*/ */
@CallerSensitive
public Class<?> getType() { public Class<?> getType() {
ClassLoader ccl = getCallerClassLoader(); Class<?> caller = Reflection.getCallerClass();
if (ReflectUtil.needsPackageAccessCheck(ccl, type.getClassLoader())) { if (ReflectUtil.needsPackageAccessCheck(caller.getClassLoader(), type.getClassLoader())) {
ReflectUtil.checkPackageAccess(type); ReflectUtil.checkPackageAccess(type);
} }
return type; return type;
} }
// Returns the invoker's class loader.
// This is package private because it is accessed from ObjectStreamClass.
// NOTE: This must always be invoked when there is exactly one intervening
// frame from the core libraries on the stack between this method's
// invocation and the desired invoker. The frame count of 3 is determined
// as follows:
//
// 0: Reflection.getCallerClass
// 1: getCallerClassLoader()
// 2: ObjectStreamField.getType() or ObjectStreamClass.forClass()
// 3: the caller we want to check
//
// NOTE: copied from java.lang.ClassLoader and modified.
static ClassLoader getCallerClassLoader() {
Class caller = Reflection.getCallerClass(3);
return caller.getClassLoader();
}
/** /**
* Returns character encoding of field type. The encoding is as follows: * Returns character encoding of field type. The encoding is as follows:
* <blockquote><pre> * <blockquote><pre>