RFC: backport S7102369
Dr Andrew John Hughes
ahughes at redhat.com
Mon Dec 12 14:41:37 PST 2011
On 14:04 Mon 12 Dec , Omair Majid wrote:
> Hi,
>
> I would like to backport the fix for S7102369 to icedtea6.
>
> The fix is already in jdk6, but missed the jdk6b24 cutoff:
> http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/6b46f3c7c97c
>
> This fixes a regression caused by the recent security update that
> requires rmiregistry to be started with java.rmi.server.codebase
> property set. Additional details can be found in this bug report:
> https://bugzilla.redhat.com/show_bug.cgi?id=751203
>
> The patch for HEAD is attached. If no one has any objections, I will
> prepare patches for 1.9 and 1.10 as well.
>
> ChangeLog:
> 2011-12-12 Omair Majid <omajid at redhat.com>
>
> S7102369, S7094468: remove java.rmi.server.codebase property
> parsing from rmiregistry
> * patches/openjdk/7102369-7094468-rmiregistry.patch: New file.
> Backport from OpenJDK6.
> * Makefile.am (ICEDTEA_PATCHES): Apply the patch.
>
> Any thoughts or comments?
>
This one was on my own backport TODO list after it was posted to OpenJDK6,
so thanks for handling it. I don't like that the patch includes a lot of
unnecessary changes to generics but as this is in the original OpenJDK6
patch, I guess we're stuck with it.
Is there any reason you're not considering 1.8? It's still supported at present.
> Thanks,
> Omair
> diff -r d6cf8b242032 Makefile.am
> --- a/Makefile.am Mon Dec 12 12:46:59 2011 -0500
> +++ b/Makefile.am Mon Dec 12 13:58:27 2011 -0500
> @@ -397,7 +397,8 @@
> patches/openjdk/6296893-BMP_Writer_handles_TopDown_prop_incorrectly.patch \
> patches/openjdk/7103224-glibc_name_collision.patch \
> patches/arm-debug.patch \
> - patches/openjdk/683768-System-tray-icon.patch
> + patches/openjdk/683768-System-tray-icon.patch \
> + patches/openjdk/7102369-7094468-rmiregistry.patch
>
> if WITH_RHINO
> ICEDTEA_PATCHES += \
> diff -r d6cf8b242032 patches/openjdk/7102369-7094468-rmiregistry.patch
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++ b/patches/openjdk/7102369-7094468-rmiregistry.patch Mon Dec 12 13:58:27 2011 -0500
> @@ -0,0 +1,473 @@
> +# HG changeset patch
> +# User coffeys
> +# Date 1321449297 0
> +# Node ID 6b46f3c7c97cb060f88b196171b95d33bff80b7c
> +# Parent 020dcd6d69ac9406809aabe8888a0b8d52912e7f
> +7102369: remove java.rmi.server.codebase property parsing from registyimpl
> +7094468: rmiregistry clean up
> +Reviewed-by: smarks
> +
> +diff -r 020dcd6d69ac -r 6b46f3c7c97c src/share/classes/sun/rmi/registry/RegistryImpl.java
> +--- openjdk/jdk/src/share/classes/sun/rmi/registry/RegistryImpl.java Tue Nov 15 16:44:14 2011 -0800
> ++++ openjdk/jdk/src/share/classes/sun/rmi/registry/RegistryImpl.java Wed Nov 16 13:14:57 2011 +0000
> +@@ -29,6 +29,7 @@
> + import java.util.Hashtable;
> + import java.util.MissingResourceException;
> + import java.util.ResourceBundle;
> ++import java.io.FilePermission;
> + import java.io.IOException;
> + import java.net.*;
> + import java.rmi.*;
> +@@ -41,12 +42,12 @@
> + import java.security.AccessControlContext;
> + import java.security.AccessController;
> + import java.security.CodeSource;
> +-import java.security.Policy;
> ++import java.security.Policy;
> + import java.security.PrivilegedActionException;
> + import java.security.PrivilegedExceptionAction;
> + import java.security.PermissionCollection;
> + import java.security.Permissions;
> +-import java.security.ProtectionDomain;
> ++import java.security.ProtectionDomain;
> + import java.text.MessageFormat;
> + import sun.rmi.server.LoaderHandler;
> + import sun.rmi.server.UnicastServerRef;
> +@@ -54,7 +55,6 @@
> + import sun.rmi.transport.LiveRef;
> + import sun.rmi.transport.ObjectTable;
> + import sun.rmi.transport.Target;
> +-import sun.security.action.GetPropertyAction;
> +
> + /**
> + * A "registry" exists on every node that allows RMI connections to
> +@@ -76,8 +76,10 @@
> +
> + /* indicate compatibility with JDK 1.1.x version of class */
> + private static final long serialVersionUID = 4666870661827494597L;
> +- private Hashtable bindings = new Hashtable(101);
> +- private static Hashtable allowedAccessCache = new Hashtable(3);
> ++ private Hashtable<String, Remote> bindings
> ++ = new Hashtable<String, Remote>(101);
> ++ private static Hashtable<InetAddress, InetAddress> allowedAccessCache
> ++ = new Hashtable<InetAddress, InetAddress>(3);
> + private static RegistryImpl registry;
> + private static ObjID id = new ObjID(ObjID.REGISTRY_ID);
> +
> +@@ -129,7 +131,7 @@
> + throws RemoteException, NotBoundException
> + {
> + synchronized (bindings) {
> +- Remote obj = (Remote)bindings.get(name);
> ++ Remote obj = bindings.get(name);
> + if (obj == null)
> + throw new NotBoundException(name);
> + return obj;
> +@@ -146,7 +148,7 @@
> + {
> + checkAccess("Registry.bind");
> + synchronized (bindings) {
> +- Remote curr = (Remote)bindings.get(name);
> ++ Remote curr = bindings.get(name);
> + if (curr != null)
> + throw new AlreadyBoundException(name);
> + bindings.put(name, obj);
> +@@ -163,7 +165,7 @@
> + {
> + checkAccess("Registry.unbind");
> + synchronized (bindings) {
> +- Remote obj = (Remote)bindings.get(name);
> ++ Remote obj = bindings.get(name);
> + if (obj == null)
> + throw new NotBoundException(name);
> + bindings.remove(name);
> +@@ -213,10 +215,9 @@
> + InetAddress clientHost;
> +
> + try {
> +- clientHost = (InetAddress)
> +- java.security.AccessController.doPrivileged(
> +- new java.security.PrivilegedExceptionAction() {
> +- public Object run()
> ++ clientHost = java.security.AccessController.doPrivileged(
> ++ new java.security.PrivilegedExceptionAction<InetAddress>() {
> ++ public InetAddress run()
> + throws java.net.UnknownHostException
> + {
> + return InetAddress.getByName(clientHostName);
> +@@ -238,8 +239,8 @@
> + final InetAddress finalClientHost = clientHost;
> +
> + java.security.AccessController.doPrivileged(
> +- new java.security.PrivilegedExceptionAction() {
> +- public Object run() throws java.io.IOException {
> ++ new java.security.PrivilegedExceptionAction<Void>() {
> ++ public Void run() throws java.io.IOException {
> + /*
> + * if a ServerSocket can be bound to the client's
> + * address then that address must be local
> +@@ -334,19 +335,6 @@
> + URL[] urls = sun.misc.URLClassPath.pathToURLs(envcp);
> + ClassLoader cl = new URLClassLoader(urls);
> +
> +- String codebaseProperty = null;
> +- String prop = java.security.AccessController.doPrivileged(
> +- new GetPropertyAction("java.rmi.server.codebase"));
> +- if (prop != null && prop.trim().length() > 0) {
> +- codebaseProperty = prop;
> +- }
> +- URL[] codebaseURLs = null;
> +- if (codebaseProperty != null) {
> +- codebaseURLs = sun.misc.URLClassPath.pathToURLs(codebaseProperty);
> +- } else {
> +- codebaseURLs = new URL[0];
> +- }
> +-
> + /*
> + * Fix bugid 4242317: Classes defined by this class loader should
> + * be annotated with the value of the "java.rmi.server.codebase"
> +@@ -364,7 +352,7 @@
> + public RegistryImpl run() throws RemoteException {
> + return new RegistryImpl(regPort);
> + }
> +- }, getAccessControlContext(codebaseURLs));
> ++ }, getAccessControlContext());
> + } catch (PrivilegedActionException ex) {
> + throw (RemoteException) ex.getException();
> + }
> +@@ -390,11 +378,11 @@
> + }
> +
> + /**
> +- * Generates an AccessControlContext from several URLs.
> ++ * Generates an AccessControlContext with minimal permissions.
> + * The approach used here is taken from the similar method
> + * getAccessControlContext() in the sun.applet.AppletPanel class.
> + */
> +- private static AccessControlContext getAccessControlContext(URL[] urls) {
> ++ private static AccessControlContext getAccessControlContext() {
> + // begin with permissions granted to all code in current policy
> + PermissionCollection perms = AccessController.doPrivileged(
> + new java.security.PrivilegedAction<PermissionCollection>() {
> +@@ -419,17 +407,15 @@
> +
> + perms.add(new RuntimePermission("accessClassInPackage.sun.*"));
> +
> +- // add permissions required to load from codebase URL path
> +- LoaderHandler.addPermissionsForURLs(urls, perms, false);
> ++ perms.add(new FilePermission("<<ALL FILES>>", "read"));
> +
> + /*
> + * Create an AccessControlContext that consists of a single
> + * protection domain with only the permissions calculated above.
> + */
> + ProtectionDomain pd = new ProtectionDomain(
> +- new CodeSource((urls.length > 0 ? urls[0] : null),
> +- (java.security.cert.Certificate[]) null),
> +- perms);
> ++ new CodeSource(null,
> ++ (java.security.cert.Certificate[]) null), perms);
> + return new AccessControlContext(new ProtectionDomain[] { pd });
> + }
> + }
> +diff -r 020dcd6d69ac -r 6b46f3c7c97c src/share/classes/sun/rmi/server/LoaderHandler.java
> +--- openjdk/jdk/src/share/classes/sun/rmi/server/LoaderHandler.java Tue Nov 15 16:44:14 2011 -0800
> ++++ openjdk/jdk/src/share/classes/sun/rmi/server/LoaderHandler.java Wed Nov 16 13:14:57 2011 +0000
> +@@ -1028,7 +1028,7 @@
> + * loader. A given permission is only added to the collection if
> + * it is not already implied by the collection.
> + */
> +- public static void addPermissionsForURLs(URL[] urls,
> ++ private static void addPermissionsForURLs(URL[] urls,
> + PermissionCollection perms,
> + boolean forLoader)
> + {
> +diff -r 020dcd6d69ac -r 6b46f3c7c97c test/java/rmi/registry/readTest/readTest.java
> +--- /dev/null Thu Jan 01 00:00:00 1970 +0000
> ++++ openjdk/jdk/test/java/rmi/registry/readTest/readTest.java Wed Nov 16 13:14:57 2011 +0000
> +@@ -0,0 +1,59 @@
> ++/*
> ++ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
> ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
> ++ *
> ++ * This code is free software; you can redistribute it and/or modify it
> ++ * under the terms of the GNU General Public License version 2 only, as
> ++ * published by the Free Software Foundation.
> ++ *
> ++ * This code is distributed in the hope that it will be useful, but WITHOUT
> ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
> ++ * version 2 for more details (a copy is included in the LICENSE file that
> ++ * accompanied this code).
> ++ *
> ++ * You should have received a copy of the GNU General Public License version
> ++ * 2 along with this work; if not, write to the Free Software Foundation,
> ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
> ++ *
> ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
> ++ * or visit www.oracle.com if you need additional information or have any
> ++ * questions.
> ++ */
> ++
> ++import java.rmi.registry.Registry;
> ++import java.rmi.registry.LocateRegistry;
> ++import java.rmi.RemoteException;
> ++import java.rmi.server.UnicastRemoteObject;
> ++
> ++
> ++public class readTest {
> ++
> ++ public static void main(String args[]) throws Exception {
> ++ int port = 7491;
> ++ try {
> ++ testPkg.Server obj = new testPkg.Server();
> ++ testPkg.Hello stub = (testPkg.Hello) UnicastRemoteObject.exportObject(obj, 0);
> ++ // Bind the remote object's stub in the registry
> ++ Registry registry = LocateRegistry.getRegistry(port);
> ++ registry.bind("Hello", stub);
> ++
> ++ System.err.println("Server ready");
> ++
> ++ // now, let's test client
> ++ testPkg.Client client = new testPkg.Client(port);
> ++ String testStubReturn = client.testStub();
> ++ if(!testStubReturn.equals(obj.hello)) {
> ++ throw new RuntimeException("Test Fails : unexpected string from stub call");
> ++ } else {
> ++ System.out.println("Test passed");
> ++ }
> ++ registry.unbind("Hello");
> ++
> ++ } catch (Exception e) {
> ++ System.err.println("Server exception: " + e.toString());
> ++ e.printStackTrace();
> ++ }
> ++
> ++ }
> ++}
> +diff -r 020dcd6d69ac -r 6b46f3c7c97c test/java/rmi/registry/readTest/readTest.sh
> +--- /dev/null Thu Jan 01 00:00:00 1970 +0000
> ++++ openjdk/jdk/test/java/rmi/registry/readTest/readTest.sh Wed Nov 16 13:14:57 2011 +0000
> +@@ -0,0 +1,95 @@
> ++#
> ++# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
> ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
> ++#
> ++# This code is free software; you can redistribute it and/or modify it
> ++# under the terms of the GNU General Public License version 2 only, as
> ++# published by the Free Software Foundation.
> ++#
> ++# This code is distributed in the hope that it will be useful, but WITHOUT
> ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
> ++# version 2 for more details (a copy is included in the LICENSE file that
> ++# accompanied this code).
> ++#
> ++# You should have received a copy of the GNU General Public License version
> ++# 2 along with this work; if not, write to the Free Software Foundation,
> ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
> ++#
> ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
> ++# or visit www.oracle.com if you need additional information or have any
> ++# questions.
> ++#
> ++
> ++# @test
> ++# @bug 7102369 7094468 7100592
> ++# @summary remove java.rmi.server.codebase property parsing from registyimpl
> ++# @run shell readTest.sh
> ++
> ++OS=`uname -s`
> ++case "$OS" in
> ++ SunOS | Linux )
> ++ PS=":"
> ++ FS="/"
> ++ FILEURL="file:"
> ++ ;;
> ++ Windows* | CYGWIN* )
> ++ PS=";"
> ++ FS="\\"
> ++ FILEURL="file:/"
> ++ ;;
> ++ * )
> ++ echo "Unrecognized system!"
> ++ exit 1;
> ++ ;;
> ++esac
> ++
> ++cp -r ${TESTSRC}${FS}* .
> ++${TESTJAVA}${FS}bin${FS}javac testPkg${FS}*java
> ++${TESTJAVA}${FS}bin${FS}javac readTest.java
> ++
> ++mkdir rmi_tmp
> ++RMIREG_OUT=rmi.out
> ++#start rmiregistry without any local classes on classpath
> ++cd rmi_tmp
> ++${TESTJAVA}${FS}bin${FS}rmiregistry 7491 > ..${FS}${RMIREG_OUT} 2>&1 &
> ++RMIREG_PID=$!
> ++# allow some time to start
> ++sleep 3
> ++cd ..
> ++
> ++# trailing / after code base is important for rmi codebase property.
> ++${TESTJAVA}${FS}bin${FS}java -Djava.rmi.server.codebase=${FILEURL}`pwd`/ readTest > OUT.TXT 2>&1 &
> ++TEST_PID=$!
> ++#bulk of testcase - let it run for a while
> ++sleep 5
> ++
> ++#we're done, kill processes first
> ++kill -9 ${RMIREG_PID} ${TEST_PID}
> ++sleep 3
> ++
> ++echo "Test output : "
> ++
> ++cat OUT.TXT
> ++echo "=============="
> ++echo "rmiregistry output : "
> ++cat ${RMIREG_OUT}
> ++echo "=============="
> ++
> ++grep "Server ready" OUT.TXT
> ++result1=$?
> ++grep "Test passed" OUT.TXT
> ++result2=$?
> ++
> ++if [ $result1 -eq 0 -a $result2 -eq 0 ]
> ++then
> ++ echo "Passed"
> ++ exitCode=0;
> ++else
> ++ echo "Failed"
> ++ exitCode=1
> ++fi
> ++rm -rf OUT.TXT ${RMIREG_OUT} rmi_tmp
> ++exit ${exitCode}
> ++
> ++
> +diff -r 020dcd6d69ac -r 6b46f3c7c97c test/java/rmi/registry/readTest/testPkg/Client.java
> +--- /dev/null Thu Jan 01 00:00:00 1970 +0000
> ++++ openjdk/jdk/test/java/rmi/registry/readTest/testPkg/Client.java Wed Nov 16 13:14:57 2011 +0000
> +@@ -0,0 +1,48 @@
> ++/*
> ++ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
> ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
> ++ *
> ++ * This code is free software; you can redistribute it and/or modify it
> ++ * under the terms of the GNU General Public License version 2 only, as
> ++ * published by the Free Software Foundation.
> ++ *
> ++ * This code is distributed in the hope that it will be useful, but WITHOUT
> ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
> ++ * version 2 for more details (a copy is included in the LICENSE file that
> ++ * accompanied this code).
> ++ *
> ++ * You should have received a copy of the GNU General Public License version
> ++ * 2 along with this work; if not, write to the Free Software Foundation,
> ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
> ++ *
> ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
> ++ * or visit www.oracle.com if you need additional information or have any
> ++ * questions.
> ++ */
> ++
> ++package testPkg;
> ++
> ++import java.rmi.registry.LocateRegistry;
> ++import java.rmi.registry.Registry;
> ++
> ++public class Client {
> ++ int port;
> ++
> ++ public Client(int p) {
> ++ port = p;
> ++ }
> ++
> ++ public String testStub() throws Exception {
> ++ try {
> ++ Registry registry = LocateRegistry.getRegistry(port);
> ++ Hello stub = (Hello) registry.lookup("Hello");
> ++ String response = stub.sayHello();
> ++ return response;
> ++ } catch (Exception e) {
> ++ System.err.println("Client exception: " + e.toString());
> ++ throw e;
> ++ }
> ++ }
> ++ }
> ++
> +diff -r 020dcd6d69ac -r 6b46f3c7c97c test/java/rmi/registry/readTest/testPkg/Hello.java
> +--- /dev/null Thu Jan 01 00:00:00 1970 +0000
> ++++ openjdk/jdk/test/java/rmi/registry/readTest/testPkg/Hello.java Wed Nov 16 13:14:57 2011 +0000
> +@@ -0,0 +1,31 @@
> ++/*
> ++ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
> ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
> ++ *
> ++ * This code is free software; you can redistribute it and/or modify it
> ++ * under the terms of the GNU General Public License version 2 only, as
> ++ * published by the Free Software Foundation.
> ++ *
> ++ * This code is distributed in the hope that it will be useful, but WITHOUT
> ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
> ++ * version 2 for more details (a copy is included in the LICENSE file that
> ++ * accompanied this code).
> ++ *
> ++ * You should have received a copy of the GNU General Public License version
> ++ * 2 along with this work; if not, write to the Free Software Foundation,
> ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
> ++ *
> ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
> ++ * or visit www.oracle.com if you need additional information or have any
> ++ * questions.
> ++ */
> ++
> ++package testPkg;
> ++
> ++import java.rmi.Remote;
> ++import java.rmi.RemoteException;
> ++
> ++public interface Hello extends Remote {
> ++ String sayHello() throws RemoteException;
> ++}
> +diff -r 020dcd6d69ac -r 6b46f3c7c97c test/java/rmi/registry/readTest/testPkg/Server.java
> +--- /dev/null Thu Jan 01 00:00:00 1970 +0000
> ++++ openjdk/jdk/test/java/rmi/registry/readTest/testPkg/Server.java Wed Nov 16 13:14:57 2011 +0000
> +@@ -0,0 +1,36 @@
> ++/*
> ++ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
> ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
> ++ *
> ++ * This code is free software; you can redistribute it and/or modify it
> ++ * under the terms of the GNU General Public License version 2 only, as
> ++ * published by the Free Software Foundation.
> ++ *
> ++ * This code is distributed in the hope that it will be useful, but WITHOUT
> ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
> ++ * version 2 for more details (a copy is included in the LICENSE file that
> ++ * accompanied this code).
> ++ *
> ++ * You should have received a copy of the GNU General Public License version
> ++ * 2 along with this work; if not, write to the Free Software Foundation,
> ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
> ++ *
> ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
> ++ * or visit www.oracle.com if you need additional information or have any
> ++ * questions.
> ++ */
> ++
> ++package testPkg;
> ++
> ++public class Server implements Hello {
> ++
> ++ public String hello = "Hello, world!";
> ++
> ++ public Server() {}
> ++
> ++ public String sayHello() {
> ++ return hello;
> ++ }
> ++
> ++}
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20111212/d25daede/attachment.bin
More information about the distro-pkg-dev
mailing list