You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-commits@xmlgraphics.apache.org by ss...@apache.org on 2022/08/16 14:17:59 UTC
svn commit: r1903462 - in /xmlgraphics/batik/trunk: batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java batik-test-old/src/test/java/org/apache/batik/bridge/DefaultExternalResourceSecurityTestCase.java
Author: ssteiner
Date: Tue Aug 16 14:17:59 2022
New Revision: 1903462
URL: http://svn.apache.org/viewvc?rev=1903462&view=rev
Log:
BATIK-1331: Jar url should be blocked by DefaultExternalResourceSecurity
Added:
xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultExternalResourceSecurityTestCase.java
Modified:
xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
Modified: xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java?rev=1903462&r1=1903461&r2=1903462&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java (original)
+++ xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java Tue Aug 16 14:17:59 2022
@@ -20,6 +20,9 @@ package org.apache.batik.bridge;
import org.apache.batik.util.ParsedURL;
+import java.net.URI;
+import java.net.URISyntaxException;
+
/**
* Default implementation for the <code>ExternalResourceSecurity</code> interface.
* It allows all types of external resources to be loaded, but only if they
@@ -81,6 +84,13 @@ public class DefaultExternalResourceSecu
} else {
String docHost = docURL.getHost();
String externalResourceHost = externalResourceURL.getHost();
+ if (externalResourceHost == null && !DATA_PROTOCOL.equals(externalResourceURL.getProtocol())) {
+ try {
+ externalResourceHost = new URI(externalResourceURL.getPath()).getHost();
+ } catch (URISyntaxException e) {
+ throw new RuntimeException(e);
+ }
+ }
if ((docHost != externalResourceHost) &&
((docHost == null) || (!docHost.equals(externalResourceHost)))){
Added: xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultExternalResourceSecurityTestCase.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultExternalResourceSecurityTestCase.java?rev=1903462&view=auto
==============================================================================
--- xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultExternalResourceSecurityTestCase.java (added)
+++ xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultExternalResourceSecurityTestCase.java Tue Aug 16 14:17:59 2022
@@ -0,0 +1,40 @@
+/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+ */
+package org.apache.batik.bridge;
+
+import org.apache.batik.util.ParsedURL;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class DefaultExternalResourceSecurityTestCase {
+ @Test
+ public void testJarURL() {
+ ParsedURL ext = new ParsedURL("jar:http://evil.com/poc!/");
+ ParsedURL doc = new ParsedURL(".");
+ String err = "";
+ try {
+ new DefaultExternalResourceSecurity(ext, doc).checkLoadExternalResource();
+ } catch (SecurityException e) {
+ err = e.getMessage();
+ }
+ Assert.assertEquals(err, "The document references a external resource (jar:http://evil.com/poc!/) which " +
+ "comes from different location than the document itself. This is not allowed for security reasons and " +
+ "that resource will not be loaded.");
+ }
+}