You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@xerces.apache.org by mr...@apache.org on 2013/11/22 20:54:36 UTC
svn commit: r1544661 - in
/xerces/xml-commons/trunk/java/src/org/apache/xml/resolver:
CatalogManager.java readers/DOMCatalogReader.java
readers/SAXCatalogReader.java
Author: mrglavas
Date: Fri Nov 22 19:54:36 2013
New Revision: 1544661
URL: http://svn.apache.org/r1544661
Log:
Align XML Commons Resolver code with ObjectFactory classes in Xerces and Xalan which make explicit calls to checkPackageAccess() before loading classes.
Modified:
xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/CatalogManager.java
xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/readers/DOMCatalogReader.java
xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/readers/SAXCatalogReader.java
Modified: xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/CatalogManager.java
URL: http://svn.apache.org/viewvc/xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/CatalogManager.java?rev=1544661&r1=1544660&r2=1544661&view=diff
==============================================================================
--- xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/CatalogManager.java (original)
+++ xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/CatalogManager.java Fri Nov 22 19:54:36 2013
@@ -683,6 +683,16 @@ public class CatalogManager {
catalog = new Catalog();
} else {
try {
+ // throw security exception if the calling thread is not allowed to access the package
+ // restrict the access to package as specified in java.security policy
+ SecurityManager security = System.getSecurityManager();
+ if (security != null) {
+ final int lastDot = catalogClassName.lastIndexOf('.');
+ if (lastDot != -1) {
+ String packageName = catalogClassName.substring(0, lastDot);
+ security.checkPackageAccess(packageName);
+ }
+ }
catalog = (Catalog) Class.forName(catalogClassName).newInstance();
} catch (ClassNotFoundException cnfe) {
debug.message(1,"Catalog class named '"
Modified: xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/readers/DOMCatalogReader.java
URL: http://svn.apache.org/viewvc/xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/readers/DOMCatalogReader.java?rev=1544661&r1=1544660&r2=1544661&view=diff
==============================================================================
--- xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/readers/DOMCatalogReader.java (original)
+++ xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/readers/DOMCatalogReader.java Fri Nov 22 19:54:36 2013
@@ -196,6 +196,16 @@ public class DOMCatalogReader implements
DOMCatalogParser domParser = null;
try {
+ // throw security exception if the calling thread is not allowed to access the package
+ // restrict the access to package as specified in java.security policy
+ SecurityManager security = System.getSecurityManager();
+ if (security != null) {
+ final int lastDot = domParserClass.lastIndexOf('.');
+ if (lastDot != -1) {
+ String packageName = domParserClass.substring(0, lastDot);
+ security.checkPackageAccess(packageName);
+ }
+ }
domParser = (DOMCatalogParser) Class.forName(domParserClass).newInstance();
} catch (ClassNotFoundException cnfe) {
catalog.getCatalogManager().debug.message(1, "Cannot load XML Catalog Parser class", domParserClass);
Modified: xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/readers/SAXCatalogReader.java
URL: http://svn.apache.org/viewvc/xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/readers/SAXCatalogReader.java?rev=1544661&r1=1544660&r2=1544661&view=diff
==============================================================================
--- xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/readers/SAXCatalogReader.java (original)
+++ xerces/xml-commons/trunk/java/src/org/apache/xml/resolver/readers/SAXCatalogReader.java Fri Nov 22 19:54:36 2013
@@ -248,6 +248,16 @@ public class SAXCatalogReader implements
}
parser.parse(new InputSource(is), spHandler);
} else {
+ // throw security exception if the calling thread is not allowed to access the package
+ // restrict the access to package as specified in java.security policy
+ SecurityManager security = System.getSecurityManager();
+ if (security != null) {
+ final int lastDot = parserClass.lastIndexOf('.');
+ if (lastDot != -1) {
+ String packageName = parserClass.substring(0, lastDot);
+ security.checkPackageAccess(packageName);
+ }
+ }
Parser parser = (Parser) Class.forName(parserClass, true, loader != null ? loader : this.getClass().getClassLoader()).newInstance();
parser.setDocumentHandler(this);
if (bResolver != null) {
@@ -353,6 +363,16 @@ public class SAXCatalogReader implements
}
try {
+ // throw security exception if the calling thread is not allowed to access the package
+ // restrict the access to package as specified in java.security policy
+ SecurityManager security = System.getSecurityManager();
+ if (security != null) {
+ final int lastDot = saxParserClass.lastIndexOf('.');
+ if (lastDot != -1) {
+ String packageName = saxParserClass.substring(0, lastDot);
+ security.checkPackageAccess(packageName);
+ }
+ }
saxParser = (SAXCatalogParser)
Class.forName(saxParserClass, true, loader != null ? loader : this.getClass().getClassLoader()).newInstance();
@@ -414,6 +434,16 @@ public class SAXCatalogReader implements
}
try {
+ // throw security exception if the calling thread is not allowed to access the package
+ // restrict the access to package as specified in java.security policy
+ SecurityManager security = System.getSecurityManager();
+ if (security != null) {
+ final int lastDot = saxParserClass.lastIndexOf('.');
+ if (lastDot != -1) {
+ String packageName = saxParserClass.substring(0, lastDot);
+ security.checkPackageAccess(packageName);
+ }
+ }
saxParser = (SAXCatalogParser)
Class.forName(saxParserClass, true, loader != null ? loader : this.getClass().getClassLoader()).newInstance();
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@xerces.apache.org
For additional commands, e-mail: commits-help@xerces.apache.org