You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@xalan.apache.org by ar...@apache.org on 2004/02/12 10:55:10 UTC
cvs commit: xml-xalan/java/src/org/apache/xml/serializer ObjectFactory.java SecuritySupport.java SecuritySupport12.java CharInfo.java Encodings.java SerializerFactory.java
aruny 2004/02/12 01:55:10
Modified: java/src/org/apache/xml/serializer Tag: jaxp12112003_branch
SecuritySupport.java SecuritySupport12.java
CharInfo.java Encodings.java SerializerFactory.java
Added: java/src/org/apache/xml/serializer Tag: jaxp12112003_branch
ObjectFactory.java
Log:
ObjectFactory class exposes class loaders publicly which allow untrusted code to access internal classes. Making following changes to fix it.
1.Duplicating the ObjectFactory, SecuritySupport.java and SecuritySupport12.java class in order to make it package private in each of the packages that require its services.
2.Using checkPackageAccess() to prevent access to internal packages of jdk(sun.*).
Revision Changes Path
No revision
No revision
1.1.4.1 +9 -9 xml-xalan/java/src/org/apache/xml/serializer/SecuritySupport.java
Index: SecuritySupport.java
===================================================================
RCS file: /home/cvs/xml-xalan/java/src/org/apache/xml/serializer/SecuritySupport.java,v
retrieving revision 1.1
retrieving revision 1.1.4.1
diff -u -r1.1 -r1.1.4.1
--- SecuritySupport.java 9 Oct 2003 00:41:54 -0000 1.1
+++ SecuritySupport.java 12 Feb 2004 09:55:10 -0000 1.1.4.1
@@ -113,33 +113,33 @@
* Return an appropriate instance of this class, depending on whether
* we're on a JDK 1.1 or J2SE 1.2 (or later) system.
*/
- public static SecuritySupport getInstance() {
+ static SecuritySupport getInstance() {
return (SecuritySupport)securitySupport;
}
- public ClassLoader getContextClassLoader() {
+ ClassLoader getContextClassLoader() {
return null;
}
- public ClassLoader getSystemClassLoader() {
+ ClassLoader getSystemClassLoader() {
return null;
}
- public ClassLoader getParentClassLoader(ClassLoader cl) {
+ ClassLoader getParentClassLoader(ClassLoader cl) {
return null;
}
- public String getSystemProperty(String propName) {
+ String getSystemProperty(String propName) {
return System.getProperty(propName);
}
- public FileInputStream getFileInputStream(File file)
+ FileInputStream getFileInputStream(File file)
throws FileNotFoundException
{
return new FileInputStream(file);
}
- public InputStream getResourceAsStream(ClassLoader cl, String name) {
+ InputStream getResourceAsStream(ClassLoader cl, String name) {
InputStream ris;
if (cl == null) {
ris = ClassLoader.getSystemResourceAsStream(name);
@@ -149,11 +149,11 @@
return ris;
}
- public boolean getFileExists(File f) {
+ boolean getFileExists(File f) {
return f.exists();
}
- public long getLastModified(File f) {
+ long getLastModified(File f) {
return f.lastModified();
}
}
1.1.4.1 +8 -8 xml-xalan/java/src/org/apache/xml/serializer/SecuritySupport12.java
Index: SecuritySupport12.java
===================================================================
RCS file: /home/cvs/xml-xalan/java/src/org/apache/xml/serializer/SecuritySupport12.java,v
retrieving revision 1.1
retrieving revision 1.1.4.1
diff -u -r1.1 -r1.1.4.1
--- SecuritySupport12.java 9 Oct 2003 00:41:54 -0000 1.1
+++ SecuritySupport12.java 12 Feb 2004 09:55:10 -0000 1.1.4.1
@@ -76,7 +76,7 @@
*/
class SecuritySupport12 extends SecuritySupport {
- public ClassLoader getContextClassLoader() {
+ ClassLoader getContextClassLoader() {
return (ClassLoader)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
@@ -89,7 +89,7 @@
});
}
- public ClassLoader getSystemClassLoader() {
+ ClassLoader getSystemClassLoader() {
return (ClassLoader)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
@@ -102,7 +102,7 @@
});
}
- public ClassLoader getParentClassLoader(final ClassLoader cl) {
+ ClassLoader getParentClassLoader(final ClassLoader cl) {
return (ClassLoader)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
@@ -118,7 +118,7 @@
});
}
- public String getSystemProperty(final String propName) {
+ String getSystemProperty(final String propName) {
return (String)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
@@ -127,7 +127,7 @@
});
}
- public FileInputStream getFileInputStream(final File file)
+ FileInputStream getFileInputStream(final File file)
throws FileNotFoundException
{
try {
@@ -142,7 +142,7 @@
}
}
- public InputStream getResourceAsStream(final ClassLoader cl,
+ InputStream getResourceAsStream(final ClassLoader cl,
final String name)
{
return (InputStream)
@@ -159,7 +159,7 @@
});
}
- public boolean getFileExists(final File f) {
+ boolean getFileExists(final File f) {
return ((Boolean)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
@@ -168,7 +168,7 @@
})).booleanValue();
}
- public long getLastModified(final File f) {
+ long getLastModified(final File f) {
return ((Long)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
1.9.2.1 +1 -1 xml-xalan/java/src/org/apache/xml/serializer/CharInfo.java
Index: CharInfo.java
===================================================================
RCS file: /home/cvs/xml-xalan/java/src/org/apache/xml/serializer/CharInfo.java,v
retrieving revision 1.9
retrieving revision 1.9.2.1
diff -u -r1.9 -r1.9.2.1
--- CharInfo.java 23 Oct 2003 20:31:14 -0000 1.9
+++ CharInfo.java 12 Feb 2004 09:55:10 -0000 1.9.2.1
@@ -71,7 +71,7 @@
import org.apache.xml.res.XMLErrorResources;
import org.apache.xml.res.XMLMessages;
import org.apache.xml.utils.CharKey;
-import org.apache.xml.utils.ObjectFactory;
+
import org.apache.xml.utils.SystemIDResolver;
import org.apache.xml.utils.WrappedRuntimeException;
1.6.2.1 +2 -2 xml-xalan/java/src/org/apache/xml/serializer/Encodings.java
Index: Encodings.java
===================================================================
RCS file: /home/cvs/xml-xalan/java/src/org/apache/xml/serializer/Encodings.java,v
retrieving revision 1.6
retrieving revision 1.6.2.1
diff -u -r1.6 -r1.6.2.1
--- Encodings.java 4 Dec 2003 20:44:51 -0000 1.6
+++ Encodings.java 12 Feb 2004 09:55:10 -0000 1.6.2.1
@@ -70,7 +70,7 @@
import java.security.PrivilegedAction;
import java.security.AccessController;
-import org.apache.xml.utils.ObjectFactory;
+
/**
* Provides information about encodings. Depends on the Java runtime
1.4.2.1 +1 -1 xml-xalan/java/src/org/apache/xml/serializer/SerializerFactory.java
Index: SerializerFactory.java
===================================================================
RCS file: /home/cvs/xml-xalan/java/src/org/apache/xml/serializer/SerializerFactory.java,v
retrieving revision 1.4
retrieving revision 1.4.2.1
diff -u -r1.4 -r1.4.2.1
--- SerializerFactory.java 22 Oct 2003 19:40:01 -0000 1.4
+++ SerializerFactory.java 12 Feb 2004 09:55:10 -0000 1.4.2.1
@@ -63,7 +63,7 @@
import org.apache.xml.res.XMLErrorResources;
import org.apache.xml.res.XMLMessages;
-import org.apache.xml.utils.ObjectFactory;
+
import org.xml.sax.ContentHandler;
/**
No revision
Index: SerializerFactory.java
===================================================================
RCS file: /home/cvs/xml-xalan/java/src/org/apache/xml/serializer/SerializerFactory.java,v
retrieving revision 1.4
retrieving revision 1.4.2.1
diff -u -r1.4 -r1.4.2.1
--- SerializerFactory.java 22 Oct 2003 19:40:01 -0000 1.4
+++ SerializerFactory.java 12 Feb 2004 09:55:10 -0000 1.4.2.1
@@ -63,7 +63,7 @@
import org.apache.xml.res.XMLErrorResources;
import org.apache.xml.res.XMLMessages;
-import org.apache.xml.utils.ObjectFactory;
+
import org.xml.sax.ContentHandler;
/**
No revision
Index: SerializerFactory.java
===================================================================
RCS file: /home/cvs/xml-xalan/java/src/org/apache/xml/serializer/SerializerFactory.java,v
retrieving revision 1.4
retrieving revision 1.4.2.1
diff -u -r1.4 -r1.4.2.1
--- SerializerFactory.java 22 Oct 2003 19:40:01 -0000 1.4
+++ SerializerFactory.java 12 Feb 2004 09:55:10 -0000 1.4.2.1
@@ -63,7 +63,7 @@
import org.apache.xml.res.XMLErrorResources;
import org.apache.xml.res.XMLMessages;
-import org.apache.xml.utils.ObjectFactory;
+
import org.xml.sax.ContentHandler;
/**
1.1.2.1 +665 -0 xml-xalan/java/src/org/apache/xml/serializer/Attic/ObjectFactory.java
---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-cvs-unsubscribe@xml.apache.org
For additional commands, e-mail: xalan-cvs-help@xml.apache.org