This is the mail archive of the
java-patches@gcc.gnu.org
mailing list for the Java project.
Patch: FYI: Classloader-related fix
- From: Tom Tromey <tromey at redhat dot com>
- To: Java Patch List <java-patches at gcc dot gnu dot org>
- Date: 21 Dec 2001 15:59:30 -0700
- Subject: Patch: FYI: Classloader-related fix
- Reply-to: tromey at redhat dot com
I'm checking this in.
ObjectInputStream and ObjectOutputStream used an incorrect security
check. This patch brings the check up to spec.
Unfortunately at some point we'll have to do an audit of the code to
make sure all the security checks are in. It probably doesn't make
sense to do that until we've implemented the features necessary to
make it actually work.
Tom
Index: ChangeLog
from Tom Tromey <tromey@redhat.com>
* java/io/ObjectInputStream.java (enableResolveObject): Use
correct security check.
* java/io/ObjectOutputStream.java (enableReplaceObject): Use
correct security check.
Index: java/io/ObjectInputStream.java
===================================================================
RCS file: /cvs/gcc/gcc/libjava/java/io/ObjectInputStream.java,v
retrieving revision 1.9
diff -u -r1.9 ObjectInputStream.java
--- java/io/ObjectInputStream.java 2001/12/09 00:17:07 1.9
+++ java/io/ObjectInputStream.java 2001/12/21 22:49:28
@@ -528,8 +528,11 @@
throws SecurityException
{
if (enable)
- if (getClass ().getClassLoader () != null)
- throw new SecurityException ("Untrusted ObjectInputStream subclass attempted to enable object resolution");
+ {
+ SecurityManager sm = System.getSecurityManager ();
+ if (sm != null)
+ sm.checkPermission (new SerializablePermission ("enableSubtitution"));
+ }
boolean old_val = this.resolveEnabled;
this.resolveEnabled = enable;
Index: java/io/ObjectOutputStream.java
===================================================================
RCS file: /cvs/gcc/gcc/libjava/java/io/ObjectOutputStream.java,v
retrieving revision 1.8
diff -u -r1.8 ObjectOutputStream.java
--- java/io/ObjectOutputStream.java 2001/01/27 06:04:29 1.8
+++ java/io/ObjectOutputStream.java 2001/12/21 22:49:29
@@ -1,5 +1,5 @@
/* ObjectOutputStream.java -- Class used to write serialized objects
- Copyright (C) 1998, 1999, 2000 Free Software Foundation, Inc.
+ Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc.
This file is part of GNU Classpath.
@@ -550,8 +550,11 @@
throws SecurityException
{
if (enable)
- if (getClass ().getClassLoader () != null)
- throw new SecurityException ("Untrusted ObjectOutputStream subclass attempted to enable object replacement");
+ {
+ SecurityManager sm = System.getSecurityManager ();
+ if (sm != null)
+ sm.checkPermission (new SerializablePermission ("enableSubstitution"));
+ }
boolean old_val = replacementEnabled;
replacementEnabled = enable;