You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by jb...@apache.org on 2015/03/07 16:43:41 UTC
svn commit: r1664878 -
/tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java
Author: jboynes
Date: Sat Mar 7 15:43:41 2015
New Revision: 1664878
URL: http://svn.apache.org/r1664878
Log:
Fix for https://bz.apache.org/bugzilla/show_bug.cgi?id=57673
If an AccessControlException is thrown reading the accessExternalEntity fall back to the default
Modified:
tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java
Modified: tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java
URL: http://svn.apache.org/viewvc/tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java?rev=1664878&r1=1664877&r2=1664878&view=diff
==============================================================================
--- tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java (original)
+++ tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java Sat Mar 7 15:43:41 2015
@@ -19,6 +19,7 @@ package org.apache.taglibs.standard.util
import java.io.FileNotFoundException;
import java.io.InputStream;
import java.io.Reader;
+import java.security.AccessControlException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
@@ -113,12 +114,25 @@ public class XmlUtil {
}
private static final String SP_ALLOWED_PROTOCOLS = "org.apache.taglibs.standard.xml.accessExternalEntity";
- private static final String ALLOWED_PROTOCOLS = AccessController.doPrivileged(new PrivilegedAction<String>() {
- public String run() {
- String defaultProtocols = System.getSecurityManager() == null ? "all" : "";
- return System.getProperty(SP_ALLOWED_PROTOCOLS, defaultProtocols);
+ private static final String ALLOWED_PROTOCOLS = initAllowedProtocols();
+
+ private static String initAllowedProtocols() {
+ if (System.getSecurityManager() == null) {
+ return System.getProperty(SP_ALLOWED_PROTOCOLS, "all");
+ } else {
+ final String defaultProtocols = "";
+ try {
+ return AccessController.doPrivileged(new PrivilegedAction<String>() {
+ public String run() {
+ return System.getProperty(SP_ALLOWED_PROTOCOLS, defaultProtocols);
+ }
+ });
+ } catch (AccessControlException e) {
+ // Fall back to the default i.e. none.
+ return defaultProtocols;
+ }
}
- });
+ }
static void checkProtocol(String allowedProtocols, String uri) {
if ("all".equalsIgnoreCase(allowedProtocols)) {
@@ -130,7 +144,7 @@ public class XmlUtil {
return;
}
}
- throw new SecurityException("Access to external URI not allowed: " + uri);
+ throw new AccessControlException("Access to external URI not allowed: " + uri);
}
/**
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org