archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-27 06:45:07 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8243592: Subject$SecureSet::addAll should not call contains(null)

Browse source 
Reviewed-by: mullan
This commit is contained in:
Weijun Wang 2020-07-09 09:22:01 +08:00
parent e2353cc324
commit fc1b24e4e8
2 changed files with 99 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

73
src/java.base/share/classes/javax/security/auth/Subject.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -203,18 +203,20 @@ public final class Subject implements java.io.Serializable {
* Sets.
*/
public Subject(boolean readOnly, Set<? extends Principal> principals,
Set<?> pubCredentials, Set<?> privCredentials)
{
collectionNullClean(principals);
collectionNullClean(pubCredentials);
collectionNullClean(privCredentials);
Set<?> pubCredentials, Set<?> privCredentials) {
LinkedList<Principal> principalList
= collectionNullClean(principals);
LinkedList<Object> pubCredsList
= collectionNullClean(pubCredentials);
LinkedList<Object> privCredsList
= collectionNullClean(privCredentials);
this.principals = Collections.synchronizedSet(new SecureSet<>
(this, PRINCIPAL_SET, principals));
this.pubCredentials = Collections.synchronizedSet(new SecureSet<>
(this, PUB_CREDENTIAL_SET, pubCredentials));
this.privCredentials = Collections.synchronizedSet(new SecureSet<>
(this, PRIV_CREDENTIAL_SET, privCredentials));
this.principals = Collections.synchronizedSet(
new SecureSet<>(this, PRINCIPAL_SET, principalList));
this.pubCredentials = Collections.synchronizedSet(
new SecureSet<>(this, PUB_CREDENTIAL_SET, pubCredsList));
this.privCredentials = Collections.synchronizedSet(
new SecureSet<>(this, PRIV_CREDENTIAL_SET, privCredsList));
this.readOnly = readOnly;
}
@ -975,8 +977,9 @@ public final class Subject implements java.io.Serializable {
// Rewrap the principals into a SecureSet
try {
LinkedList<Principal> principalList = collectionNullClean(inputPrincs);
principals = Collections.synchronizedSet(new SecureSet<>
(this, PRINCIPAL_SET, inputPrincs));
(this, PRINCIPAL_SET, principalList));
} catch (NullPointerException npe) {
// Sometimes people deserialize the principals set only.
// Subject is not accessible, so just don't fail.
@ -1001,26 +1004,18 @@ public final class Subject implements java.io.Serializable {
* @throws NullPointerException if the specified collection is either
* {@code null} or contains a {@code null} element
*/
private static void collectionNullClean(Collection<?> coll) {
boolean hasNullElements = false;
private static <E> LinkedList<E> collectionNullClean(
Collection<? extends E> coll) {
Objects.requireNonNull(coll,
ResourcesMgr.getString("invalid.null.input.s."));
try {
hasNullElements = coll.contains(null);
} catch (NullPointerException npe) {
// A null-hostile collection may choose to throw
// NullPointerException if contains(null) is called on it
// rather than returning false.
// If this happens we know the collection is null-clean.
hasNullElements = false;
} finally {
if (hasNullElements) {
throw new NullPointerException
(ResourcesMgr.getString("invalid.null.input.s."));
}
LinkedList<E> output = new LinkedList<>();
for (E e : coll) {
output.add(Objects.requireNonNull(e,
ResourcesMgr.getString("invalid.null.input.s.")));
}
return output;
}
/**
@ -1066,10 +1061,10 @@ public final class Subject implements java.io.Serializable {
this.elements = new LinkedList<E>();
}
SecureSet(Subject subject, int which, Set<? extends E> set) {
SecureSet(Subject subject, int which, LinkedList<E> list) {
this.subject = subject;
this.which = which;
this.elements = new LinkedList<E>(set);
this.elements = list;
}
public int size() {
@ -1242,7 +1237,7 @@ public final class Subject implements java.io.Serializable {
public boolean addAll(Collection<? extends E> c) {
boolean result = false;
collectionNullClean(c);
c = collectionNullClean(c);
for (E item : c) {
result |= this.add(item);
@ -1252,7 +1247,7 @@ public final class Subject implements java.io.Serializable {
}
public boolean removeAll(Collection<?> c) {
collectionNullClean(c);
c = collectionNullClean(c);
boolean modified = false;
final Iterator<E> e = iterator();
@ -1282,7 +1277,7 @@ public final class Subject implements java.io.Serializable {
}
public boolean containsAll(Collection<?> c) {
collectionNullClean(c);
c = collectionNullClean(c);
for (Object item : c) {
if (this.contains(item) == false) {
@ -1294,7 +1289,7 @@ public final class Subject implements java.io.Serializable {
}
public boolean retainAll(Collection<?> c) {
collectionNullClean(c);
c = collectionNullClean(c);
boolean modified = false;
final Iterator<E> e = iterator();
@ -1314,8 +1309,8 @@ public final class Subject implements java.io.Serializable {
if (c.contains(next) == false) {
e.remove();
modified = true;
}
}
}
return modified;
}
@ -1443,13 +1438,7 @@ public final class Subject implements java.io.Serializable {
LinkedList<E> tmp = (LinkedList<E>) fields.get("elements", null);
Subject.collectionNullClean(tmp);
if (tmp.getClass() != LinkedList.class) {
elements = new LinkedList<E>(tmp);
} else {
elements = tmp;
}
elements = Subject.collectionNullClean(tmp);
}
}