You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by am...@apache.org on 2018/04/26 22:15:24 UTC
[cxf] branch master updated: Resolve Java 2 security issues with
doPrivs
This is an automated email from the ASF dual-hosted git repository.
amccright pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new fcfd411 Resolve Java 2 security issues with doPrivs
fcfd411 is described below
commit fcfd41153eaf209169dbf719407ff1b1b8ddd644
Author: Andy McCright <j....@gmail.com>
AuthorDate: Thu Apr 26 17:14:38 2018 -0500
Resolve Java 2 security issues with doPrivs
---
.../org/apache/cxf/jaxrs/provider/AbstractJAXBProvider.java | 12 +++++++++---
.../cxf/jaxrs/sse/client/InboundSseEventProcessor.java | 8 +++++++-
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/AbstractJAXBProvider.java b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/AbstractJAXBProvider.java
index 4b326ff..bf45677 100644
--- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/AbstractJAXBProvider.java
+++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/AbstractJAXBProvider.java
@@ -25,6 +25,8 @@ import java.io.OutputStream;
import java.lang.annotation.Annotation;
import java.lang.reflect.Array;
import java.lang.reflect.Type;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
@@ -522,7 +524,7 @@ public abstract class AbstractJAXBProvider<T> extends AbstractConfigurableProvid
public JAXBContext getPackageContext(Class<?> type) {
return getPackageContext(type, type);
}
- protected JAXBContext getPackageContext(Class<?> type, Type genericType) {
+ protected JAXBContext getPackageContext(final Class<?> type, Type genericType) {
if (type == null || type == JAXBElement.class) {
return null;
}
@@ -531,7 +533,11 @@ public abstract class AbstractJAXBProvider<T> extends AbstractConfigurableProvid
JAXBContext context = packageContexts.get(packageName);
if (context == null) {
try {
- if (type.getClassLoader() != null && objectFactoryOrIndexAvailable(type)) {
+ final ClassLoader loader = AccessController.doPrivileged((PrivilegedAction<ClassLoader>)
+ () -> {
+ return type.getClassLoader();
+ });
+ if (loader != null && objectFactoryOrIndexAvailable(type)) {
String contextName = packageName;
if (extraClass != null) {
@@ -545,7 +551,7 @@ public abstract class AbstractJAXBProvider<T> extends AbstractConfigurableProvid
contextName = sb.toString();
}
- context = JAXBContext.newInstance(contextName, type.getClassLoader(), cProperties);
+ context = JAXBContext.newInstance(contextName, loader, cProperties);
packageContexts.put(packageName, context);
}
} catch (JAXBException ex) {
diff --git a/rt/rs/sse/src/main/java/org/apache/cxf/jaxrs/sse/client/InboundSseEventProcessor.java b/rt/rs/sse/src/main/java/org/apache/cxf/jaxrs/sse/client/InboundSseEventProcessor.java
index 4d88ee7..8e02e71 100644
--- a/rt/rs/sse/src/main/java/org/apache/cxf/jaxrs/sse/client/InboundSseEventProcessor.java
+++ b/rt/rs/sse/src/main/java/org/apache/cxf/jaxrs/sse/client/InboundSseEventProcessor.java
@@ -22,6 +22,8 @@ import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
@@ -133,7 +135,11 @@ public class InboundSseEventProcessor {
return true;
}
- executor.shutdown();
+ AccessController.doPrivileged((PrivilegedAction<Void>)
+ () -> {
+ executor.shutdown();
+ return null;
+ });
return executor.awaitTermination(timeout, unit);
} catch (final InterruptedException ex) {
return false;
--
To stop receiving notification emails like this one, please contact
amccright@apache.org.