6904691: Java Applet Trusted Methods Chaining Privilege Escalation Vulnerability

Reviewed-by: hawtin, peterz

jdk/src/share/classes/java/beans/EventHandler.java

@@ -32,7 +32,6 @@ import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 
-import java.util.EventObject;
 import sun.reflect.misc.MethodUtil;
 
 /**
@@ -279,9 +278,9 @@ import sun.reflect.misc.MethodUtil;
 public class EventHandler implements InvocationHandler {
     private Object target;
     private String action;
-    private String eventPropertyName;
+    private final String eventPropertyName;
-    private String listenerMethodName;
+    private final String listenerMethodName;
-    private AccessControlContext acc;
+    private final AccessControlContext acc = AccessController.getContext();
 
     /**
      * Creates a new <code>EventHandler</code> object;
@@ -310,7 +309,6 @@ public class EventHandler implements InvocationHandler {
      */
     @ConstructorProperties({"target", "action", "eventPropertyName", "listenerMethodName"})
     public EventHandler(Object target, String action, String eventPropertyName, String listenerMethodName) {
-        this.acc = AccessController.getContext();
         this.target = target;
         this.action = action;
         if (target == null) {
@@ -422,7 +420,11 @@ public class EventHandler implements InvocationHandler {
      * @see EventHandler
      */
     public Object invoke(final Object proxy, final Method method, final Object[] arguments) {
-        return AccessController.doPrivileged(new PrivilegedAction() {
+        AccessControlContext acc = this.acc;
+        if ((acc == null) && (System.getSecurityManager() != null)) {
+            throw new SecurityException("AccessControlContext is not set");
+        }
+        return AccessController.doPrivileged(new PrivilegedAction<Object>() {
             public Object run() {
                 return invokeInternal(proxy, method, arguments);
             }
@@ -482,7 +484,10 @@ public class EventHandler implements InvocationHandler {
                 throw new RuntimeException(ex);
             }
             catch (InvocationTargetException ex) {
-                throw new RuntimeException(ex.getTargetException());
+                Throwable th = ex.getTargetException();
+                throw (th instanceof RuntimeException)
+                        ? (RuntimeException) th
+                        : new RuntimeException(th);
             }
         }
         return null;

jdk/src/share/classes/java/beans/Statement.java

@@ -29,6 +29,10 @@ import java.lang.reflect.Array;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 
 import com.sun.beans.finder.ClassFinder;
 import com.sun.beans.finder.ConstructorFinder;
@@ -63,9 +67,10 @@ public class Statement {
         }
     };
 
-    Object target;
+    private final AccessControlContext acc = AccessController.getContext();
-    String methodName;
+    private final Object target;
-    Object[] arguments;
+    private final String methodName;
+    private final Object[] arguments;
     ClassLoader loader;
 
     /**
@@ -145,6 +150,26 @@ public class Statement {
     }
 
     Object invoke() throws Exception {
+        AccessControlContext acc = this.acc;
+        if ((acc == null) && (System.getSecurityManager() != null)) {
+            throw new SecurityException("AccessControlContext is not set");
+        }
+        try {
+            return AccessController.doPrivileged(
+                    new PrivilegedExceptionAction<Object>() {
+                        public Object run() throws Exception {
+                            return invokeInternal();
+                        }
+                    },
+                    acc
+            );
+        }
+        catch (PrivilegedActionException exception) {
+            throw exception.getException();
+        }
+    }
+
+    private Object invokeInternal() throws Exception {
         Object target = getTarget();
         String methodName = getMethodName();
 

jdk/test/java/beans/EventHandler/Test6277246.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2005-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -49,10 +49,10 @@ public class Test6277246 {
         catch (NoSuchMethodException exception) {
             throw new Error("unexpected exception", exception);
         }
-        catch (RuntimeException exception) {
+        catch (SecurityException exception) {
-            if (exception.getCause() instanceof SecurityException) {
+            // expected security exception
-                return; // expected security exception
         }
+        catch (RuntimeException exception) {
             throw new Error("unexpected exception", exception);
         }
     }

jdk/test/java/beans/EventHandler/Test6277266.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2005-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -51,7 +51,7 @@ public class Test6277266 {
             );
             throw new Error("SecurityException expected");
         } catch (InvocationTargetException exception) {
-            if (exception.getCause().getCause() instanceof SecurityException){
+            if (exception.getCause() instanceof SecurityException){
                 return; // expected security exception
             }
             throw new Error("unexpected exception", exception);