Patch: FYI: PR 11737 fix
Tom Tromey
tromey@redhat.com
Fri Aug 1 03:34:00 GMT 2003
I'm checking this in on the trunk.
My recent security patch changed Method to actually check accesses.
This revealed a bug in our serialization implementation; it doesn't
correctly enable access to private methods and fields.
Fixed as appended.
Tom
Index: ChangeLog
from Tom Tromey <tromey@redhat.com>
Fix for PR libgcj/11737:
* java/io/ObjectOutputStream.java (getMethod): Make method
accessible.
(getField): Likewise.
(writeObject): Use getMethod.
Import PrivilegedAction and AccessController.
(callWriteMethod): Don't check whether m is null. Catch
NoSuchMethodException.
Index: java/io/ObjectOutputStream.java
===================================================================
RCS file: /cvs/gcc/gcc/libjava/java/io/ObjectOutputStream.java,v
retrieving revision 1.17
diff -u -r1.17 ObjectOutputStream.java
--- java/io/ObjectOutputStream.java 9 Jul 2003 10:52:26 -0000 1.17
+++ java/io/ObjectOutputStream.java 1 Aug 2003 02:57:02 -0000
@@ -42,6 +42,8 @@
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.lang.reflect.InvocationTargetException;
+import java.security.PrivilegedAction;
+import java.security.AccessController;
import java.util.Hashtable;
import gnu.java.io.ObjectIdentityWrapper;
@@ -240,10 +242,11 @@
try
{
Class classArgs[] = {};
- m = obj.getClass ().getDeclaredMethod ("writeReplace",
- classArgs);
- // m can't be null by definition since an exception would
- // have been thrown so a check for null is not needed.
+ m = getMethod(obj.getClass(), "writeReplace",
+ classArgs);
+ // m can't be null by definition since an
+ // exception would have been thrown so a check
+ // for null is not needed.
obj = m.invoke (obj, new Object[] {});
}
catch (NoSuchMethodException ignore)
@@ -993,7 +996,8 @@
private void checkType (ObjectStreamField field, char type)
throws IllegalArgumentException
{
- if (TypeSignature.getEncodingOfClass (field.getType ()).charAt (0) != type)
+ if (TypeSignature.getEncodingOfClass (field.getType ()).charAt (0)
+ != type)
throw new IllegalArgumentException ();
}
};
@@ -1200,11 +1204,13 @@
{
Class classArgs[] = {ObjectOutputStream.class};
Method m = getMethod (klass, "writeObject", classArgs);
- if (m == null)
- return;
Object args[] = {this};
m.invoke (obj, args);
}
+ catch (NoSuchMethodException nsme)
+ {
+ // Nothing.
+ }
catch (InvocationTargetException x)
{
/* Rethrow if possible. */
@@ -1239,7 +1245,8 @@
}
}
- private byte getByteField (Object obj, Class klass, String field_name) throws IOException
+ private byte getByteField (Object obj, Class klass, String field_name)
+ throws IOException
{
try
{
@@ -1253,7 +1260,8 @@
}
}
- private char getCharField (Object obj, Class klass, String field_name) throws IOException
+ private char getCharField (Object obj, Class klass, String field_name)
+ throws IOException
{
try
{
@@ -1297,7 +1305,8 @@
}
}
- private int getIntField (Object obj, Class klass, String field_name) throws IOException
+ private int getIntField (Object obj, Class klass, String field_name)
+ throws IOException
{
try
{
@@ -1311,7 +1320,8 @@
}
}
- private long getLongField (Object obj, Class klass, String field_name) throws IOException
+ private long getLongField (Object obj, Class klass, String field_name)
+ throws IOException
{
try
{
@@ -1359,13 +1369,31 @@
private static Field getField (Class klass, String name)
throws java.lang.NoSuchFieldException
{
- return klass.getDeclaredField(name);
+ final Field f = klass.getDeclaredField(name);
+ AccessController.doPrivileged(new PrivilegedAction()
+ {
+ public Object run()
+ {
+ f.setAccessible(true);
+ return null;
+ }
+ });
+ return f;
}
private static Method getMethod (Class klass, String name, Class[] args)
throws java.lang.NoSuchMethodException
{
- return klass.getDeclaredMethod(name, args);
+ final Method m = klass.getDeclaredMethod(name, args);
+ AccessController.doPrivileged(new PrivilegedAction()
+ {
+ public Object run()
+ {
+ m.setAccessible(true);
+ return null;
+ }
+ });
+ return m;
}
// this value comes from 1.2 spec, but is used in 1.1 as well
More information about the Java-patches
mailing list