8146313: The java.beans.Statement.invoke() method handles 3-arg Class.forName incorrectly

Reviewed-by: prr, ahgross, alexsch

jdk/src/java.desktop/share/classes/java/beans/Statement.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -39,6 +39,8 @@ import com.sun.beans.finder.ConstructorFinder;
 import com.sun.beans.finder.MethodFinder;
 import sun.reflect.misc.MethodUtil;
 
+import static sun.reflect.misc.ReflectUtil.checkPackageAccess;
+
 /**
  * A {@code Statement} object represents a primitive statement
  * in which a single method is applied to a target and
@@ -205,12 +207,22 @@ public class Statement {
         Object[] arguments = getArguments();
         if (arguments == null) {
             arguments = emptyArray;
+        } else {
+            arguments = arguments.clone();
         }
-        // Class.forName() won't load classes outside
-        // of core from a class inside core. Special
-        // case this method.
         if (target == Class.class && methodName.equals("forName")) {
-            return ClassFinder.resolveClass((String)arguments[0], this.loader);
+            final String name = (String) arguments[0];
+            if (arguments.length == 1) {
+                // Class.forName(String className) won't load classes outside
+                // of core from a class inside core. Special
+                // case this method.
+                // checkPackageAccess(name) will be called by ClassFinder
+                return ClassFinder.resolveClass(name, this.loader);
+            }
+            // The 3 args Class.forName(String className, boolean, classloader)
+            // requires getClassLoader permission, but we will be stricter and
+            // will require access to the package as well.
+            checkPackageAccess(name);
         }
         Class<?>[] argClasses = new Class<?>[arguments.length];
         for(int i = 0; i < arguments.length; i++) {

jdk/test/java/beans/Statement/ClassForName/ClassForName.java

@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.beans.Expression;
+import java.beans.Statement;
+
+/**
+ * @test
+ * @bug 8146313
+ * @run main/othervm ClassForName
+ * @run main/othervm/policy=java.policy -Djava.security.manager ClassForName
+ */
+public final class ClassForName {
+
+    static boolean initialized;
+
+    static final String[] classes = {
+            "A.A", "java.lang.String", "ClassForName$Bean", "sun.awt.SunToolkit"
+    };
+
+    static final ClassLoader appl = new Object() {}.getClass().getClassLoader();
+
+    static final ClassLoader[] loaders = {
+            String.class.getClassLoader(), null, appl
+    };
+
+    static boolean[] inits = {false, true};
+
+    public static void main(final String[] args) throws Exception {
+        // Check that the Class.forName(name, boolean, classloader) is executed
+        // when requested via JavaBeans
+        simpleTest();
+
+        // Check that the Class.forName and Expression returns the same classes
+        for (final String cls : classes) {
+            complexTest1Args(cls);
+            for (final ClassLoader loader : loaders) {
+                for (final boolean init : inits) {
+                    complexTest3Args(cls, loader, init);
+                }
+            }
+        }
+    }
+
+    private static void simpleTest() throws Exception {
+        // load the class without initialization
+        new Statement(Class.class, "forName", new Object[]{
+                "ClassForName$Bean", false, Bean.class.getClassLoader()
+        }).execute();
+        if (initialized) {
+            throw new RuntimeException("Should not be initialized");
+        }
+
+        // load the class and initialize it
+        new Statement(Class.class, "forName", new Object[]{
+                "ClassForName$Bean", true, Bean.class.getClassLoader()
+        }).execute();
+        if (!initialized) {
+            throw new RuntimeException("Should be initialized");
+        }
+    }
+
+    private static void complexTest1Args(final String cls) {
+        // load via standard Class.forName();
+        Class<?> classForName = null;
+        try {
+            classForName = Class.forName(cls);
+        } catch (final Exception ignored) {
+        }
+
+        // load via Expression.execute()
+        Class<?> classStatement = null;
+        try {
+            final Expression exp = new Expression(Class.class, "forName",
+                                                  new Object[]{
+                                                          cls
+                                                  });
+            exp.execute();
+            classStatement = (Class<?>) exp.getValue();
+        } catch (final Exception ignored) {
+        }
+        if (classForName != classStatement) {
+            System.err.println(classForName);
+            System.err.println(classStatement);
+            throw new RuntimeException();
+        }
+    }
+
+    private static void complexTest3Args(final String cls,
+                                         final ClassLoader loader,
+                                         final boolean init) {
+        // load via standard Class.forName();
+        Class<?> classForName = null;
+        Class<?> excForName = null;
+        try {
+            classForName = Class.forName(cls, init, loader);
+        } catch (final Exception e) {
+            excForName = e.getClass();
+        }
+
+        // load via Expression.execute()
+        Class<?> classStatement = null;
+        Class<?> excStatement = null;
+        try {
+            final Expression exp = new Expression(Class.class, "forName",
+                                                  new Object[]{
+                                                          cls, init, loader
+                                                  });
+            exp.execute();
+            classStatement = (Class<?>) exp.getValue();
+        } catch (final Exception e) {
+            excStatement = e.getClass();
+        }
+        if (classForName != classStatement) {
+            System.err.println(classForName);
+            System.err.println(classStatement);
+            throw new RuntimeException();
+        }
+        if (excForName != excStatement) {
+            System.err.println(excForName);
+            System.err.println(excStatement);
+            throw new RuntimeException();
+        }
+    }
+
+    public static final class Bean {
+
+        static {
+            initialized = true;
+        }
+    }
+}

jdk/test/java/beans/Statement/ClassForName/java.policy

@@ -0,0 +1 @@
+;