You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-commits@xmlgraphics.apache.org by ss...@apache.org on 2022/08/16 14:17:59 UTC

svn commit: r1903462 - in /xmlgraphics/batik/trunk: batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java batik-test-old/src/test/java/org/apache/batik/bridge/DefaultExternalResourceSecurityTestCase.java

Author: ssteiner
Date: Tue Aug 16 14:17:59 2022
New Revision: 1903462

URL: http://svn.apache.org/viewvc?rev=1903462&view=rev
Log:
BATIK-1331: Jar url should be blocked by DefaultExternalResourceSecurity

Added:
    xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultExternalResourceSecurityTestCase.java
Modified:
    xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java

Modified: xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java?rev=1903462&r1=1903461&r2=1903462&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java (original)
+++ xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java Tue Aug 16 14:17:59 2022
@@ -20,6 +20,9 @@ package org.apache.batik.bridge;
 
 import org.apache.batik.util.ParsedURL;
 
+import java.net.URI;
+import java.net.URISyntaxException;
+
 /**
  * Default implementation for the <code>ExternalResourceSecurity</code> interface.
  * It allows all types of external resources to be loaded, but only if they
@@ -81,6 +84,13 @@ public class DefaultExternalResourceSecu
         } else {
             String docHost    = docURL.getHost();
             String externalResourceHost = externalResourceURL.getHost();
+            if (externalResourceHost == null && !DATA_PROTOCOL.equals(externalResourceURL.getProtocol())) {
+                try {
+                    externalResourceHost = new URI(externalResourceURL.getPath()).getHost();
+                } catch (URISyntaxException e) {
+                    throw new RuntimeException(e);
+                }
+            }
             
             if ((docHost != externalResourceHost) &&
                 ((docHost == null) || (!docHost.equals(externalResourceHost)))){

Added: xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultExternalResourceSecurityTestCase.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultExternalResourceSecurityTestCase.java?rev=1903462&view=auto
==============================================================================
--- xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultExternalResourceSecurityTestCase.java (added)
+++ xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultExternalResourceSecurityTestCase.java Tue Aug 16 14:17:59 2022
@@ -0,0 +1,40 @@
+/*
+
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+ */
+package org.apache.batik.bridge;
+
+import org.apache.batik.util.ParsedURL;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class DefaultExternalResourceSecurityTestCase {
+    @Test
+    public void testJarURL() {
+        ParsedURL ext = new ParsedURL("jar:http://evil.com/poc!/");
+        ParsedURL doc = new ParsedURL(".");
+        String err = "";
+        try {
+            new DefaultExternalResourceSecurity(ext, doc).checkLoadExternalResource();
+        } catch (SecurityException e) {
+            err = e.getMessage();
+        }
+        Assert.assertEquals(err, "The document references a external resource (jar:http://evil.com/poc!/) which " +
+                "comes from different location than the document itself. This is not allowed for security reasons and " +
+                "that resource will not be loaded.");
+    }
+}