1 /*
2  * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.
8  *
9  * This code is distributed in the hope that it will be useful, but WITHOUT
10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12  * version 2 for more details (a copy is included in the LICENSE file that
13  * accompanied this code).
14  *
15  * You should have received a copy of the GNU General Public License version
16  * 2 along with this work; if not, write to the Free Software Foundation,
17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18  *
19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20  * or visit www.oracle.com if you need additional information or have any
21  * questions.
22  */
23 
24 /* @test
25  * @bug 4311940
26  * @summary Verify that unauthorized ObjectOutputStream and ObjectInputStream
27  *          cannot be constructed if they override security-sensitive non-final
28  *          methods.
29  * @build AuditStreamSubclass
30  * @run main/othervm AuditStreamSubclass
31  */
32 import java.io.*;
33 
34 class GoodOOS1 extends ObjectOutputStream {
GoodOOS1(OutputStream out)35     GoodOOS1(OutputStream out) throws IOException { super(out); }
36 }
37 
38 class GoodOOS2 extends GoodOOS1 {
GoodOOS2(OutputStream out)39     GoodOOS2(OutputStream out) throws IOException { super(out); }
40 }
41 
42 class BadOOS1 extends ObjectOutputStream {
BadOOS1(OutputStream out)43     BadOOS1(OutputStream out) throws IOException { super(out); }
putFields()44     public PutField putFields() throws IOException { return null; }
45 }
46 
47 class BadOOS2 extends ObjectOutputStream {
BadOOS2(OutputStream out)48     BadOOS2(OutputStream out) throws IOException { super(out); }
writeUnshared(Object obj)49     public void writeUnshared(Object obj) throws IOException {}
50 }
51 
52 class BadOOS3 extends GoodOOS1 {
BadOOS3(OutputStream out)53     BadOOS3(OutputStream out) throws IOException { super(out); }
writeUnshared(Object obj)54     public void writeUnshared(Object obj) throws IOException {}
55 }
56 
57 
58 class GoodOIS1 extends ObjectInputStream {
GoodOIS1(InputStream in)59     GoodOIS1(InputStream in) throws IOException { super(in); }
60 }
61 
62 class GoodOIS2 extends GoodOIS1 {
GoodOIS2(InputStream in)63     GoodOIS2(InputStream in) throws IOException { super(in); }
64 }
65 
66 class BadOIS1 extends ObjectInputStream {
BadOIS1(InputStream in)67     BadOIS1(InputStream in) throws IOException { super(in); }
readFields()68     public GetField readFields() throws IOException, ClassNotFoundException {
69         return null;
70     }
71 }
72 
73 class BadOIS2 extends ObjectInputStream {
BadOIS2(InputStream in)74     BadOIS2(InputStream in) throws IOException { super(in); }
readUnshared()75     public Object readUnshared() throws IOException, ClassNotFoundException {
76         return null;
77     }
78 }
79 
80 class BadOIS3 extends GoodOIS1 {
BadOIS3(InputStream in)81     BadOIS3(InputStream in) throws IOException { super(in); }
readUnshared()82     public Object readUnshared() throws IOException, ClassNotFoundException {
83         return null;
84     }
85 }
86 
87 public class AuditStreamSubclass {
main(String[] args)88     public static void main(String[] args) throws Exception {
89         if (System.getSecurityManager() == null) {
90             System.setSecurityManager(new SecurityManager());
91         }
92         ByteArrayOutputStream bout = new ByteArrayOutputStream();
93         ObjectOutputStream oout = new ObjectOutputStream(bout);
94         oout.flush();
95         byte[] buf = bout.toByteArray();
96 
97         new GoodOOS1(bout);
98         new GoodOOS2(bout);
99         new GoodOIS1(new ByteArrayInputStream(buf));
100         new GoodOIS2(new ByteArrayInputStream(buf));
101 
102         try {
103             new BadOOS1(bout);
104             throw new Error();
105         } catch (SecurityException ex) {
106         }
107 
108         try {
109             new BadOOS2(bout);
110             throw new Error();
111         } catch (SecurityException ex) {
112         }
113 
114         try {
115             new BadOOS3(bout);
116             throw new Error();
117         } catch (SecurityException ex) {
118         }
119 
120         try {
121             new BadOIS1(new ByteArrayInputStream(buf));
122             throw new Error();
123         } catch (SecurityException ex) {
124         }
125 
126         try {
127             new BadOIS2(new ByteArrayInputStream(buf));
128             throw new Error();
129         } catch (SecurityException ex) {
130         }
131 
132         try {
133             new BadOIS3(new ByteArrayInputStream(buf));
134             throw new Error();
135         } catch (SecurityException ex) {
136         }
137     }
138 }
139