changeset 16909:4702b0c8c46c

Improve permission check when locating resources in custom layers
author alanb
date Tue, 21 Jun 2016 17:01:20 +0100
parents ba310e46dad4
children ee3313e7eaad
files src/java.base/share/classes/java/lang/reflect/Module.java src/java.base/share/classes/jdk/internal/loader/Loader.java
diffstat 2 files changed, 27 insertions(+), 11 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/java/lang/reflect/Module.java	Tue Jun 21 12:16:18 2016 +0100
+++ b/src/java.base/share/classes/java/lang/reflect/Module.java	Tue Jun 21 17:01:20 2016 +0100
@@ -52,6 +52,7 @@
 
 import jdk.internal.loader.BuiltinClassLoader;
 import jdk.internal.loader.BootLoader;
+import jdk.internal.misc.JavaLangAccess;
 import jdk.internal.misc.JavaLangReflectModuleAccess;
 import jdk.internal.misc.SharedSecrets;
 import jdk.internal.module.ServicesCatalog;
@@ -1119,8 +1120,6 @@
     public InputStream getResourceAsStream(String name) throws IOException {
         Objects.requireNonNull(name);
 
-        URL url = null;
-
         String mn = this.name;
 
         // special-case built-in class loaders to avoid URL connection
@@ -1130,10 +1129,9 @@
             return ((BuiltinClassLoader) loader).findResourceAsStream(mn, name);
         }
 
-        // use SharedSecrets to invoke protected method
-        url = SharedSecrets.getJavaLangAccess().findResource(loader, mn, name);
-
-        // fallthrough to URL case
+        // locate resource in module
+        JavaLangAccess jla = SharedSecrets.getJavaLangAccess();
+        URL url = jla.findResource(loader, mn, name);
         if (url != null) {
             try {
                 return url.openStream();
--- a/src/java.base/share/classes/jdk/internal/loader/Loader.java	Tue Jun 21 12:16:18 2016 +0100
+++ b/src/java.base/share/classes/jdk/internal/loader/Loader.java	Tue Jun 21 17:01:20 2016 +0100
@@ -299,12 +299,14 @@
      */
     @Override
     protected URL findResource(String mn, String name) throws IOException {
-        ModuleReference mref = nameToModule.get(mn);
+        ModuleReference mref = (mn != null) ? nameToModule.get(mn) : null;
         if (mref == null)
             return null;   // not defined to this class loader
 
+        // locate resource
+        URL url = null;
         try {
-            return AccessController.doPrivileged(
+            url = AccessController.doPrivileged(
                 new PrivilegedExceptionAction<URL>() {
                     @Override
                     public URL run() throws IOException {
@@ -316,12 +318,28 @@
                         }
                         return null;
                     }
-                }, acc);
+                });
         } catch (PrivilegedActionException pae) {
             throw (IOException) pae.getCause();
-        } catch (SecurityException se) {
-            return null;
         }
+
+        // check access with permissions restricted by ACC
+        if (url != null && System.getSecurityManager() != null) {
+            try {
+                URL urlToCheck = url;
+                url = AccessController.doPrivileged(
+                    new PrivilegedExceptionAction<URL>() {
+                        @Override
+                        public URL run() throws IOException {
+                            return URLClassPath.checkURL(urlToCheck);
+                        }
+                    }, acc);
+            } catch (PrivilegedActionException pae) {
+                url = null;
+            }
+        }
+
+        return url;
     }
 
     @Override