You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-commits@xmlgraphics.apache.org by ss...@apache.org on 2022/09/28 10:58:59 UTC
svn commit: r1904320 - in /xmlgraphics/batik/trunk: batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java
Author: ssteiner
Date: Wed Sep 28 10:58:59 2022
New Revision: 1904320
URL: http://svn.apache.org/viewvc?rev=1904320&view=rev
Log:
BATIK-1338: Block loading jar inside svg
Modified:
xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java
Modified: xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java?rev=1904320&r1=1904319&r2=1904320&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java (original)
+++ xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java Wed Sep 28 10:58:59 2022
@@ -20,6 +20,8 @@ package org.apache.batik.bridge;
import org.apache.batik.util.ParsedURL;
+import static org.apache.batik.util.SVGConstants.SVG_SCRIPT_TYPE_JAVA;
+
/**
* Default implementation for the <code>ScriptSecurity</code> interface.
* It allows all types of scripts to be loaded, but only if they
@@ -76,7 +78,7 @@ public class DefaultScriptSecurity imple
ParsedURL docURL){
// Make sure that the archives comes from the same host
// as the document itself
- if (docURL == null) {
+ if (docURL == null || SVG_SCRIPT_TYPE_JAVA.equals(scriptType)) {
se = new SecurityException
(Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
new Object[]{scriptURL}));
Modified: xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java?rev=1904320&r1=1904319&r2=1904320&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java (original)
+++ xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java Wed Sep 28 10:58:59 2022
@@ -22,6 +22,8 @@ import org.apache.batik.util.ParsedURL;
import org.junit.Assert;
import org.junit.Test;
+import static org.apache.batik.util.SVGConstants.SVG_SCRIPT_TYPE_JAVA;
+
public class DefaultScriptSecurityTestCase {
@Test
public void testUrls() {
@@ -37,4 +39,19 @@ public class DefaultScriptSecurityTestCa
"which comes from different location than the document itself. This is not allowed with the current " +
"security settings and that script will not be loaded.");
}
+
+ @Test
+ public void testJarFile() {
+ ParsedURL docUrl = new ParsedURL("");
+ ParsedURL scriptUrl = new ParsedURL("poc.jar");
+ String ex = "";
+ try {
+ new DefaultScriptSecurity(SVG_SCRIPT_TYPE_JAVA, scriptUrl, docUrl).checkLoadScript();
+ } catch (SecurityException e) {
+ ex = e.getMessage();
+ }
+ Assert.assertEquals(ex, "Could not access the current document URL when trying to load script file " +
+ "file:poc.jar. Script will not be loaded as it is not possible to verify it comes from the same location " +
+ "as the document.");
+ }
}