OpenJDK / jigsaw / jake / jdk

changeset 16909:4702b0c8c46c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Improve permission check when locating resources in custom layers
author alanb
date Tue, 21 Jun 2016 17:01:20 +0100
parents ba310e46dad4
children ee3313e7eaad
files src/java.base/share/classes/java/lang/reflect/Module.java src/java.base/share/classes/jdk/internal/loader/Loader.java
diffstat 2 files changed, 27 insertions(+), 11 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/java/lang/reflect/Module.java	Tue Jun 21 12:16:18 2016 +0100
+++ b/src/java.base/share/classes/java/lang/reflect/Module.java	Tue Jun 21 17:01:20 2016 +0100
@@ -52,6 +52,7 @@
 
 import jdk.internal.loader.BuiltinClassLoader;
 import jdk.internal.loader.BootLoader;
+import jdk.internal.misc.JavaLangAccess;
 import jdk.internal.misc.JavaLangReflectModuleAccess;
 import jdk.internal.misc.SharedSecrets;
 import jdk.internal.module.ServicesCatalog;
@@ -1119,8 +1120,6 @@
     public InputStream getResourceAsStream(String name) throws IOException {
         Objects.requireNonNull(name);
 
-        URL url = null;
-
         String mn = this.name;
 
         // special-case built-in class loaders to avoid URL connection
@@ -1130,10 +1129,9 @@
             return ((BuiltinClassLoader) loader).findResourceAsStream(mn, name);
         }
 
-        // use SharedSecrets to invoke protected method
-        url = SharedSecrets.getJavaLangAccess().findResource(loader, mn, name);
-
-        // fallthrough to URL case
+        // locate resource in module
+        JavaLangAccess jla = SharedSecrets.getJavaLangAccess();
+        URL url = jla.findResource(loader, mn, name);
         if (url != null) {
             try {
                 return url.openStream();
--- a/src/java.base/share/classes/jdk/internal/loader/Loader.java	Tue Jun 21 12:16:18 2016 +0100
+++ b/src/java.base/share/classes/jdk/internal/loader/Loader.java	Tue Jun 21 17:01:20 2016 +0100
@@ -299,12 +299,14 @@
      */
     @Override
     protected URL findResource(String mn, String name) throws IOException {
-        ModuleReference mref = nameToModule.get(mn);
+        ModuleReference mref = (mn != null) ? nameToModule.get(mn) : null;
         if (mref == null)
             return null;   // not defined to this class loader
 
+        // locate resource
+        URL url = null;
         try {
-            return AccessController.doPrivileged(
+            url = AccessController.doPrivileged(
                 new PrivilegedExceptionAction<URL>() {
                     @Override
                     public URL run() throws IOException {
@@ -316,12 +318,28 @@
                         }
                         return null;
                     }
-                }, acc);
+                });
         } catch (PrivilegedActionException pae) {
             throw (IOException) pae.getCause();
-        } catch (SecurityException se) {
-            return null;
         }
+
+        // check access with permissions restricted by ACC
+        if (url != null && System.getSecurityManager() != null) {
+            try {
+                URL urlToCheck = url;
+                url = AccessController.doPrivileged(
+                    new PrivilegedExceptionAction<URL>() {
+                        @Override
+                        public URL run() throws IOException {
+                            return URLClassPath.checkURL(urlToCheck);
+                        }
+                    }, acc);
+            } catch (PrivilegedActionException pae) {
+                url = null;
+            }
+        }
+
+        return url;
     }
 
     @Override
© 2007, 2021 Oracle and/or its affiliates
Terms of Use · Privacy · Trademarks