< prev index next >

src/java.desktop/share/classes/java/beans/Statement.java

Print this page 

        
@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License version 2 only, as
  * published by the Free Software Foundation.  Oracle designates this

@@ -37,10 +37,12 @@
 import com.sun.beans.finder.ClassFinder;
 import com.sun.beans.finder.ConstructorFinder;
 import com.sun.beans.finder.MethodFinder;
 import sun.reflect.misc.MethodUtil;
 
+import static sun.reflect.misc.ReflectUtil.checkPackageAccess;
+
 /**
  * A {@code Statement} object represents a primitive statement
  * in which a single method is applied to a target and
  * a set of arguments - as in {@code "a.setFoo(b)"}.
  * Note that where this example uses names

@@ -203,16 +205,26 @@
         }
 
         Object[] arguments = getArguments();
         if (arguments == null) {
             arguments = emptyArray;
+        } else {
+            arguments = arguments.clone();
         }
-        // Class.forName() won't load classes outside
+        if (target == Class.class && methodName.equals("forName")) {
+            final String name = (String) arguments[0];
+            if (arguments.length == 1) {
+                // Class.forName(String className) won't load classes outside
         // of core from a class inside core. Special
         // case this method.
-        if (target == Class.class && methodName.equals("forName")) {
-            return ClassFinder.resolveClass((String)arguments[0], this.loader);
+                // checkPackageAccess(name) will be called by ClassFinder
+                return ClassFinder.resolveClass(name, this.loader);
+            }
+            // The 3 args Class.forName(String className, boolean, classloader)
+            // requires getClassLoader permission, but we will be stricter and
+            // will require access to the package as well.
+            checkPackageAccess(name);
         }
         Class<?>[] argClasses = new Class<?>[arguments.length];
         for(int i = 0; i < arguments.length; i++) {
             argClasses[i] = (arguments[i] == null) ? null : arguments[i].getClass();
         }



< prev index next >