7162476: XMLDecoder security issue via ClassFinder

Reviewed-by: art, ahgross

jdk/make/sun/Makefile

@@ -87,7 +87,7 @@ else
 endif
 SUBDIRS_desktop    = audio $(RENDER_SUBDIR) image \
                      $(LWAWT_PRE_SUBDIR) $(DISPLAY_LIBS) $(DGA_SUBDIR) $(LWAWT_SUBDIR) \
-                     jawt font jpeg cmm $(DISPLAY_TOOLS) beans
+                     jawt font jpeg cmm $(DISPLAY_TOOLS)
 SUBDIRS_management = management
 SUBDIRS_misc       = $(ORG_SUBDIR) rmi $(JDBC_SUBDIR) tracing
 SUBDIRS_tools      = native2ascii serialver tools jconsole

jdk/make/sun/beans/Makefile

@@ -1,43 +0,0 @@
-#
-# Copyright (c) 1997, 2005, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.  Oracle designates this
-# particular file as subject to the "Classpath" exception as provided
-# by Oracle in the LICENSE file that accompanied this code.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-#
-# Makefile for building sun.beans.*
-#
-
-BUILDDIR = ../..
-PACKAGE = sun.beans
-PRODUCT = sun
-include $(BUILDDIR)/common/Defs.gmk
-
-#
-# Files
-#
-AUTO_FILES_JAVA_DIRS = sun/beans
-
-#
-# Rules
-#
-include $(BUILDDIR)/common/Classes.gmk

jdk/src/share/classes/com/sun/beans/editors/BooleanEditor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
  * questions.
  */
 
-package sun.beans.editors;
+package com.sun.beans.editors;
 
 /**
  * Property editor for a java builtin "boolean" type.

jdk/src/share/classes/com/sun/beans/editors/ByteEditor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
  * questions.
  */
 
-package sun.beans.editors;
+package com.sun.beans.editors;
 
 /**
  * Property editor for a java builtin "byte" type.

jdk/src/share/classes/com/sun/beans/editors/ColorEditor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
  * questions.
  */
 
-package sun.beans.editors;
+package com.sun.beans.editors;
 
 import java.awt.*;
 import java.beans.*;

jdk/src/share/classes/com/sun/beans/editors/DoubleEditor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
  * questions.
  */
 
-package sun.beans.editors;
+package com.sun.beans.editors;
 
 /**
  * Property editor for a java builtin "double" type.

jdk/src/share/classes/com/sun/beans/editors/EnumEditor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -22,7 +22,7 @@
  * or visit www.oracle.com if you need additional information or have any
  * questions.
  */
-package sun.beans.editors;
+package com.sun.beans.editors;
 
 import java.awt.Component;
 import java.awt.Graphics;

jdk/src/share/classes/com/sun/beans/editors/FloatEditor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
  * questions.
  */
 
-package sun.beans.editors;
+package com.sun.beans.editors;
 
 /**
  * Property editor for a java builtin "float" type.

jdk/src/share/classes/com/sun/beans/editors/FontEditor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
  * questions.
  */
 
-package sun.beans.editors;
+package com.sun.beans.editors;
 
 import java.awt.*;
 import java.beans.*;

jdk/src/share/classes/com/sun/beans/editors/IntegerEditor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
  * questions.
  */
 
-package sun.beans.editors;
+package com.sun.beans.editors;
 
 /**
  * Property editor for a java builtin "int" type.

jdk/src/share/classes/com/sun/beans/editors/LongEditor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
  * questions.
  */
 
-package sun.beans.editors;
+package com.sun.beans.editors;
 
 /**
  * Property editor for a java builtin "long" type.

jdk/src/share/classes/com/sun/beans/editors/NumberEditor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
  * questions.
  */
 
-package sun.beans.editors;
+package com.sun.beans.editors;
 
 /**
  * Abstract Property editor for a java builtin number types.

jdk/src/share/classes/com/sun/beans/editors/ShortEditor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,7 +24,7 @@
  */
 
 
-package sun.beans.editors;
+package com.sun.beans.editors;
 
 /**
  * Property editor for a java builtin "short" type.

jdk/src/share/classes/com/sun/beans/editors/StringEditor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,7 +24,7 @@
  */
 
 
-package sun.beans.editors;
+package com.sun.beans.editors;
 
 import java.beans.*;
 

jdk/src/share/classes/com/sun/beans/finder/BeanInfoFinder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -42,6 +42,7 @@ public final class BeanInfoFinder
         extends InstanceFinder<BeanInfo> {
 
     private static final String DEFAULT = "sun.beans.infos";
+    private static final String DEFAULT_NEW = "com.sun.beans.infos";
 
     public BeanInfoFinder() {
         super(BeanInfo.class, true, "BeanInfo", DEFAULT);
@@ -53,10 +54,13 @@ public final class BeanInfoFinder
 
     @Override
     protected BeanInfo instantiate(Class<?> type, String prefix, String name) {
+        if (DEFAULT.equals(prefix)) {
+            prefix = DEFAULT_NEW;
+        }
         // this optimization will only use the BeanInfo search path
         // if is has changed from the original
         // or trying to get the ComponentBeanInfo
-        BeanInfo info = !DEFAULT.equals(prefix) || "ComponentBeanInfo".equals(name)
+        BeanInfo info = !DEFAULT_NEW.equals(prefix) || "ComponentBeanInfo".equals(name)
                 ? super.instantiate(type, prefix, name)
                 : null;
 

jdk/src/share/classes/com/sun/beans/finder/ClassFinder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,6 +24,8 @@
  */
 package com.sun.beans.finder;
 
+import static sun.reflect.misc.ReflectUtil.checkPackageAccess;
+
 /**
  * This is utility class that provides {@code static} methods
  * to find a class with the specified name using the specified class loader.
@@ -54,6 +56,7 @@ public final class ClassFinder {
      * @see Thread#getContextClassLoader()
      */
     public static Class<?> findClass(String name) throws ClassNotFoundException {
+        checkPackageAccess(name);
         try {
             ClassLoader loader = Thread.currentThread().getContextClassLoader();
             if (loader == null) {
@@ -94,6 +97,7 @@ public final class ClassFinder {
      * @see Class#forName(String,boolean,ClassLoader)
      */
     public static Class<?> findClass(String name, ClassLoader loader) throws ClassNotFoundException {
+        checkPackageAccess(name);
         if (loader != null) {
             try {
                 return Class.forName(name, false, loader);

jdk/src/share/classes/com/sun/beans/finder/PropertyEditorFinder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,14 +28,14 @@ import com.sun.beans.WeakCache;
 
 import java.beans.PropertyEditor;
 
-import sun.beans.editors.BooleanEditor;
-import sun.beans.editors.ByteEditor;
-import sun.beans.editors.DoubleEditor;
-import sun.beans.editors.EnumEditor;
-import sun.beans.editors.FloatEditor;
-import sun.beans.editors.IntegerEditor;
-import sun.beans.editors.LongEditor;
-import sun.beans.editors.ShortEditor;
+import com.sun.beans.editors.BooleanEditor;
+import com.sun.beans.editors.ByteEditor;
+import com.sun.beans.editors.DoubleEditor;
+import com.sun.beans.editors.EnumEditor;
+import com.sun.beans.editors.FloatEditor;
+import com.sun.beans.editors.IntegerEditor;
+import com.sun.beans.editors.LongEditor;
+import com.sun.beans.editors.ShortEditor;
 
 /**
  * This is utility class that provides functionality
@@ -48,10 +48,13 @@ import sun.beans.editors.ShortEditor;
 public final class PropertyEditorFinder
         extends InstanceFinder<PropertyEditor> {
 
+    private static final String DEFAULT = "sun.beans.editors";
+    private static final String DEFAULT_NEW = "com.sun.beans.editors";
+
     private final WeakCache<Class<?>, Class<?>> registry;
 
     public PropertyEditorFinder() {
-        super(PropertyEditor.class, false, "Editor", "sun.beans.editors");
+        super(PropertyEditor.class, false, "Editor", DEFAULT);
 
         this.registry = new WeakCache<Class<?>, Class<?>>();
         this.registry.put(Byte.TYPE, ByteEditor.class);
@@ -84,4 +87,9 @@ public final class PropertyEditorFinder
         }
         return editor;
     }
+
+    @Override
+    protected PropertyEditor instantiate(Class<?> type, String prefix, String name) {
+        return super.instantiate(type, DEFAULT.equals(prefix) ? DEFAULT_NEW : prefix, name);
+    }
 }

jdk/src/share/classes/com/sun/beans/infos/ComponentBeanInfo.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2002, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
  * questions.
  */
 
-package sun.beans.infos;
+package com.sun.beans.infos;
 
 import java.beans.*;
 

jdk/test/java/beans/Introspector/4520754/Test4520754.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -58,7 +58,7 @@ public class Test4520754 {
     public static void main(String[] args) {
         // ensure that 4168475 does not regress
         test4168475(Component.class);
-        // AWT classes (sun.beans.infos.ComponentBeanInfo)
+        // AWT classes (com.sun.beans.infos.ComponentBeanInfo)
         test(null, Button.class, Component.class, List.class, Menu.class, Panel.class);
         // Swing classes (dt.jar)
         test(null, JApplet.class, JButton.class, JCheckBox.class);

jdk/test/java/beans/PropertyEditor/6380849/TestPropertyEditor.java

@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -36,17 +36,17 @@ import java.awt.Font;
 import java.beans.PropertyEditor;
 import java.beans.PropertyEditorManager;
 
-import sun.beans.editors.BooleanEditor;
-import sun.beans.editors.ByteEditor;
-import sun.beans.editors.ColorEditor;
-import sun.beans.editors.DoubleEditor;
-import sun.beans.editors.EnumEditor;
-import sun.beans.editors.FloatEditor;
-import sun.beans.editors.FontEditor;
-import sun.beans.editors.IntegerEditor;
-import sun.beans.editors.LongEditor;
-import sun.beans.editors.ShortEditor;
-import sun.beans.editors.StringEditor;
+import com.sun.beans.editors.BooleanEditor;
+import com.sun.beans.editors.ByteEditor;
+import com.sun.beans.editors.ColorEditor;
+import com.sun.beans.editors.DoubleEditor;
+import com.sun.beans.editors.EnumEditor;
+import com.sun.beans.editors.FloatEditor;
+import com.sun.beans.editors.FontEditor;
+import com.sun.beans.editors.IntegerEditor;
+import com.sun.beans.editors.LongEditor;
+import com.sun.beans.editors.ShortEditor;
+import com.sun.beans.editors.StringEditor;
 
 public class TestPropertyEditor implements Runnable {
 

jdk/test/java/beans/PropertyEditor/Test6963811.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,7 +29,7 @@
  */
 
 import java.beans.PropertyEditorManager;
-import sun.beans.editors.StringEditor;
+import com.sun.beans.editors.StringEditor;
 
 public class Test6963811 implements Runnable {
     private final long time;