[13] RFR: 8020637: Permissions.readObject doesn't enforce proper Class to PermissionCollection mappings
Sean Mullan
sean.mullan at oracle.com
Mon Apr 1 17:10:59 UTC 2019
It is currently possible to change the mappings in a serialized
java.security.Permissions object such that they no longer map correctly,
and Permissions.readObject won't detect this.
This change makes sure that for a deserialized Permissions object, the
permissions are mapped correctly to the class that they belong to. It
does this by calling add() again for each permission in the deserialized
Permissions object. The same technique was applied to a serialized
PermissionsHash object which is used to store Permissions that don't
implement their own PermissionCollection.
bug: https://bugs.openjdk.java.net/browse/JDK-8020637
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8020637/webrev.00/
Thanks,
Sean
More information about the security-dev
mailing list