Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6761678

(ann) SecurityException in AnnotationInvocationHandler.getMemberMethods

    XMLWordPrintable

Details

    • b40
    • generic
    • generic
    • Not verified

    Backports

      Description

        As reported by Martin (http://mail.openjdk.java.net/pipermail/jdk6-dev/2008-October/000232.html):

        Description:

        sun/reflect/annotation/AnnotationInvocationHandler.java.getMemberMethods
        might throw if there is a security manager that does not allow
        getDeclaredMethods.

        The author of this code (Josh Bloch) confirms that the intent was for the
        doPrivileged block in this method to prevent security exceptions.
        The methods cannot escape to untrusted code.

        Evaluation:

        Yes. Fix provided courtesy of Toby Reyelts and Josh Bloch at Google.

        # HG changeset patch
        # User martin
        # Date 1224185752 25200
        # Node ID 68730f05449cd4f39ce1cb82adc6c4e57f87554f
        # Parent 214ebdcf7252d4862449fe0ae295e6c60a127315
        SecurityException in AnnotationInvocationHandler.getMemberMethods
        Summary: Move call to getDeclaredMethods inside doPrivileged
        Reviewed-by:
        Contributed-by: ###@###.###

        diff --git a/src/share/classes/sun/reflect/annotation/AnnotationInvocationHandler.java
        b/src/share/classes/sun/reflect/annotation/AnnotationInvocationHandler.java
        --- a/src/share/classes/sun/reflect/annotation/AnnotationInvocationHandler.java
        +++ b/src/share/classes/sun/reflect/annotation/AnnotationInvocationHandler.java
        @@ -272,14 +272,14 @@
              */
             private Method[] getMemberMethods() {
                 if (memberMethods == null) {
        - final Method[] mm = type.getDeclaredMethods();
        - AccessController.doPrivileged(new PrivilegedAction<Void>() {
        - public Void run() {
        - AccessibleObject.setAccessible(mm, true);
        - return null;
        - }
        - });
        - memberMethods = mm;
        + memberMethods = AccessController.doPrivileged(
        + new PrivilegedAction<Method[]>() {
        + public Method[] run() {
        + final Method[] mm = type.getDeclaredMethods();
        + AccessibleObject.setAccessible(mm, true);
        + return mm;
        + }
        + });
                 }
                 return memberMethods;
             }

        Attachments

          Issue Links

            Activity

              People

                darcy Joe Darcy
                darcy Joe Darcy
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: