--- a/jdk/src/share/classes/sun/misc/URLClassPath.java Fri Apr 05 10:17:06 2013 -0400
+++ b/jdk/src/share/classes/sun/misc/URLClassPath.java Mon Apr 08 06:15:18 2013 +0100
@@ -64,6 +64,7 @@
final static String USER_AGENT_JAVA_VERSION = "UA-Java-Version";
final static String JAVA_VERSION;
private static final boolean DEBUG;
+ private static final boolean DISABLE_JAR_CHECKING;
/**
* Used by launcher to indicate that checking of the JAR file "Profile"
@@ -76,6 +77,9 @@
new sun.security.action.GetPropertyAction("java.version"));
DEBUG = (java.security.AccessController.doPrivileged(
new sun.security.action.GetPropertyAction("sun.misc.URLClassPath.debug")) != null);
+ String p = java.security.AccessController.doPrivileged(
+ new sun.security.action.GetPropertyAction("sun.misc.URLClassPath.disableJarChecking"));
+ DISABLE_JAR_CHECKING = p != null ? p.equals("true") || p.equals("") : false;
}
/* The original search path of URLs. */
@@ -544,7 +548,7 @@
* in a hurry.
*/
JarURLConnection juc = (JarURLConnection)uc;
- jarfile = juc.getJarFile();
+ jarfile = JarLoader.checkJar(juc.getJarFile());
}
} catch (Exception e) {
return null;
@@ -609,6 +613,8 @@
private URLStreamHandler handler;
private HashMap<String, Loader> lmap;
private boolean closed = false;
+ private static final sun.misc.JavaUtilZipFileAccess zipAccess =
+ sun.misc.SharedSecrets.getJavaUtilZipFileAccess();
/*
* Creates a new JarLoader for the specified URL referring to
@@ -713,6 +719,14 @@
}
}
+ /* Throws if the given jar file is does not start with the correct LOC */
+ static JarFile checkJar(JarFile jar) throws IOException {
+ if (System.getSecurityManager() != null && !DISABLE_JAR_CHECKING
+ && !zipAccess.startsWithLocHeader(jar))
+ throw new IOException("Invalid Jar file");
+ return jar;
+ }
+
private JarFile getJarFile(URL url) throws IOException {
// Optimize case where url refers to a local jar file
if (isOptimizable(url)) {
@@ -720,11 +734,12 @@
if (!p.exists()) {
throw new FileNotFoundException(p.getPath());
}
- return new JarFile (p.getPath());
+ return checkJar(new JarFile(p.getPath()));
}
URLConnection uc = getBaseURL().openConnection();
uc.setRequestProperty(USER_AGENT_JAVA_VERSION, JAVA_VERSION);
- return ((JarURLConnection)uc).getJarFile();
+ JarFile jarFile = ((JarURLConnection)uc).getJarFile();
+ return checkJar(jarFile);
}
/*