You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-commits@xmlgraphics.apache.org by ss...@apache.org on 2022/09/07 08:22:08 UTC
svn commit: r1903910 - in /xmlgraphics/batik/trunk: batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java
Author: ssteiner
Date: Wed Sep 7 08:22:07 2022
New Revision: 1903910
URL: http://svn.apache.org/viewvc?rev=1903910&view=rev
Log:
BATIK-1335: Jar url should be blocked by DefaultScriptSecurity
Added:
xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java (with props)
Modified:
xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
Modified: xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java?rev=1903910&r1=1903909&r2=1903910&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java (original)
+++ xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java Wed Sep 7 08:22:07 2022
@@ -83,6 +83,10 @@ public class DefaultScriptSecurity imple
} else {
String docHost = docURL.getHost();
String scriptHost = scriptURL.getHost();
+
+ if (scriptHost == null && scriptURL.getPath() != null) {
+ scriptHost = new ParsedURL(scriptURL.getPath()).getHost();
+ }
if ((docHost != scriptHost) &&
((docHost == null) || (!docHost.equals(scriptHost)))) {
Added: xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java?rev=1903910&view=auto
==============================================================================
--- xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java (added)
+++ xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java Wed Sep 7 08:22:07 2022
@@ -0,0 +1,40 @@
+/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+ */
+package org.apache.batik.bridge;
+
+import org.apache.batik.util.ParsedURL;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class DefaultScriptSecurityTestCase {
+ @Test
+ public void testUrls() {
+ ParsedURL docUrl = new ParsedURL("");
+ ParsedURL scriptUrl = new ParsedURL("jar:http://192.168.1.10/poc.jar!/");
+ String ex = "";
+ try {
+ new DefaultScriptSecurity(null, scriptUrl, docUrl).checkLoadScript();
+ } catch (SecurityException e) {
+ ex = e.getMessage();
+ }
+ Assert.assertEquals(ex, "The document references a script file (jar:http://192.168.1.10/poc.jar!/) " +
+ "which comes from different location than the document itself. This is not allowed with the current " +
+ "security settings and that script will not be loaded.");
+ }
+}
Propchange: xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java
------------------------------------------------------------------------------
svn:eol-style = native