This is an automated email from the ASF dual-hosted git repository.
amccright pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new 2424d91 Fix Java 2 security issues
2424d91 is described below
commit 2424d912e92109c3ce08a95347056e825b52c035
Author: Andy McCright <j.andrew.mccri...@gmail.com>
AuthorDate: Tue Feb 5 13:02:37 2019 -0600
Fix Java 2 security issues
---
.../java/org/apache/cxf/common/classloader/ClassLoaderUtils.java | 6 ++++++
.../main/java/org/apache/cxf/common/util/ProxyClassLoaderCache.java | 5 +++--
core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java | 3 ++-
core/src/main/java/org/apache/cxf/helpers/JavaUtils.java | 4 +++-
.../cxf/microprofile/client/proxy/MicroProfileClientProxyImpl.java | 3 ++-
5 files changed, 16 insertions(+), 5 deletions(-)
diff --git
a/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java
b/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java
index e087da1..9514b1c 100644
--- a/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java
+++ b/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java
@@ -290,6 +290,12 @@ public final class ClassLoaderUtils {
}
return loadClass2(className, callingClass).asSubclass(type);
}
+
+ public static String getClassLoaderName(Class<?> type) {
+ ClassLoader loader = getClassLoader(type);
+ return loader == null ? "null" : loader.toString();
+ }
+
private static Class<?> loadClass2(String className, Class<?> callingClass)
throws ClassNotFoundException {
try {
diff --git
a/core/src/main/java/org/apache/cxf/common/util/ProxyClassLoaderCache.java
b/core/src/main/java/org/apache/cxf/common/util/ProxyClassLoaderCache.java
index dd69a13..9b00f99 100644
--- a/core/src/main/java/org/apache/cxf/common/util/ProxyClassLoaderCache.java
+++ b/core/src/main/java/org/apache/cxf/common/util/ProxyClassLoaderCache.java
@@ -24,6 +24,7 @@ import java.security.PrivilegedAction;
import java.util.logging.Level;
import java.util.logging.Logger;
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.logging.LogUtils;
public class ProxyClassLoaderCache {
@@ -42,7 +43,7 @@ public class ProxyClassLoaderCache {
LOG.log(Level.FINE, "interface for new created ProxyClassLoader is
"
+ proxyInterface.getName());
LOG.log(Level.FINE, "interface's classloader for new created
ProxyClassLoader is "
- + proxyInterface.getClassLoader());
+ + ClassLoaderUtils.getClassLoaderName(proxyInterface));
return createProxyClassLoader(proxyInterface);
}
@@ -80,7 +81,7 @@ public class ProxyClassLoaderCache {
String ifName = currentInterface.getName();
LOG.log(Level.FINE, "the interface we are checking is " +
currentInterface.getName());
LOG.log(Level.FINE, "the interface' classloader we are
checking is "
- + currentInterface.getClassLoader());
+ + getClassLoader(currentInterface));
if (!ifName.startsWith("org.apache.cxf") &&
!ifName.startsWith("java")) {
// cache and retrieve customer interface
LOG.log(Level.FINE, "the customer interface is " +
currentInterface.getName()
diff --git a/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java
b/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java
index 04e4ee2..0affeab 100644
--- a/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java
+++ b/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java
@@ -25,6 +25,7 @@ import java.lang.reflect.Proxy;
import java.util.logging.Level;
import java.util.logging.Logger;
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.logging.LogUtils;
/**
@@ -97,7 +98,7 @@ public class ProxyHelper {
private String getSortedNameFromInterfaceArray(Class<?>[] interfaces) {
SortedArraySet<String> arraySet = new SortedArraySet<String>();
for (Class<?> currentInterface : interfaces) {
- arraySet.add(currentInterface.getName() +
currentInterface.getClassLoader());
+ arraySet.add(currentInterface.getName() +
ClassLoaderUtils.getClassLoaderName(currentInterface));
}
return arraySet.toString();
}
diff --git a/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java
b/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java
index 6224cc4..8d14409 100644
--- a/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java
+++ b/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java
@@ -23,6 +23,8 @@ import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
+import org.apache.cxf.common.util.SystemPropertyAction;
+
public final class JavaUtils {
/** Use this character as suffix */
@@ -51,7 +53,7 @@ public final class JavaUtils {
private static boolean isJava8Before161;
static {
- String version = System.getProperty("java.version");
+ String version = SystemPropertyAction.getProperty("java.version");
try {
isJava8Before161 = version != null && version.startsWith("1.8.0_")
&& Integer.parseInt(version.substring(6)) < 161;
diff --git
a/rt/rs/microprofile-client/src/main/java/org/apache/cxf/microprofile/client/proxy/MicroProfileClientProxyImpl.java
b/rt/rs/microprofile-client/src/main/java/org/apache/cxf/microprofile/client/proxy/MicroProfileClientProxyImpl.java
index 14ab55a..81af0ed 100644
---
a/rt/rs/microprofile-client/src/main/java/org/apache/cxf/microprofile/client/proxy/MicroProfileClientProxyImpl.java
+++
b/rt/rs/microprofile-client/src/main/java/org/apache/cxf/microprofile/client/proxy/MicroProfileClientProxyImpl.java
@@ -40,6 +40,7 @@ import javax.ws.rs.core.Response;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.util.ReflectionUtil;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Interceptor;
import org.apache.cxf.jaxrs.client.ClientProxyImpl;
@@ -82,7 +83,7 @@ public class MicroProfileClientProxyImpl extends
ClientProxyImpl {
Method m;
try {
Class<?> jaxrsUtilsClass =
Class.forName("org.apache.cxf.jaxrs.utils.JAXRSUtils");
- m = jaxrsUtilsClass.getDeclaredMethod("getCurrentMessage");
+ m = ReflectionUtil.getDeclaredMethod(jaxrsUtilsClass,
"getCurrentMessage");
} catch (Throwable t) {
// expected in non-JAX-RS server environments
if (LOG.isLoggable(Level.FINEST)) {
