[13] RFR: 8020637: Permissions.readObject doesn't enforce proper Class to PermissionCollection mappings
Weijun Wang
weijun.wang at oracle.com
Tue Apr 2 03:12:34 UTC 2019
I can understand the change in Permissions, but is there any difference in PermissionsHash?
--Max
> On Apr 2, 2019, at 1:10 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>
> It is currently possible to change the mappings in a serialized java.security.Permissions object such that they no longer map correctly, and Permissions.readObject won't detect this.
>
> This change makes sure that for a deserialized Permissions object, the permissions are mapped correctly to the class that they belong to. It does this by calling add() again for each permission in the deserialized Permissions object. The same technique was applied to a serialized PermissionsHash object which is used to store Permissions that don't implement their own PermissionCollection.
>
> bug: https://bugs.openjdk.java.net/browse/JDK-8020637
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8020637/webrev.00/
>
> Thanks,
> Sean
>
More information about the security-dev
mailing list