7195917: XMLDecoder parsing at close-time should be improved
Reviewed-by: art, ahgross
--- a/jdk/src/share/classes/com/sun/beans/decoder/DocumentHandler.java Tue Sep 11 15:59:24 2012 +0400
+++ b/jdk/src/share/classes/com/sun/beans/decoder/DocumentHandler.java Wed Sep 19 21:42:21 2012 +0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,9 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
@@ -46,6 +49,8 @@
import org.xml.sax.SAXException;
import org.xml.sax.helpers.DefaultHandler;
+import sun.misc.SharedSecrets;
+
/**
* The main class to parse JavaBeans XML archive.
*
@@ -56,11 +61,10 @@
* @see ElementHandler
*/
public final class DocumentHandler extends DefaultHandler {
- private final Map<String, Class<? extends ElementHandler>> handlers = new HashMap<String, Class<? extends ElementHandler>>();
-
- private final Map<String, Object> environment = new HashMap<String, Object>();
-
- private final List<Object> objects = new ArrayList<Object>();
+ private final AccessControlContext acc = AccessController.getContext();
+ private final Map<String, Class<? extends ElementHandler>> handlers = new HashMap<>();
+ private final Map<String, Object> environment = new HashMap<>();
+ private final List<Object> objects = new ArrayList<>();
private Reference<ClassLoader> loader;
private ExceptionListener listener;
@@ -351,23 +355,32 @@
*
* @param input the input source to parse
*/
- public void parse(InputSource input) {
- try {
- SAXParserFactory.newInstance().newSAXParser().parse(input, this);
- }
- catch (ParserConfigurationException exception) {
- handleException(exception);
+ public void parse(final InputSource input) {
+ if ((this.acc == null) && (null != System.getSecurityManager())) {
+ throw new SecurityException("AccessControlContext is not set");
}
- catch (SAXException wrapper) {
- Exception exception = wrapper.getException();
- if (exception == null) {
- exception = wrapper;
+ AccessControlContext stack = AccessController.getContext();
+ SharedSecrets.getJavaSecurityAccess().doIntersectionPrivilege(new PrivilegedAction<Void>() {
+ public Void run() {
+ try {
+ SAXParserFactory.newInstance().newSAXParser().parse(input, DocumentHandler.this);
+ }
+ catch (ParserConfigurationException exception) {
+ handleException(exception);
+ }
+ catch (SAXException wrapper) {
+ Exception exception = wrapper.getException();
+ if (exception == null) {
+ exception = wrapper;
+ }
+ handleException(exception);
+ }
+ catch (IOException exception) {
+ handleException(exception);
+ }
+ return null;
}
- handleException(exception);
- }
- catch (IOException exception) {
- handleException(exception);
- }
+ }, stack, this.acc);
}
/**
--- a/jdk/src/share/classes/java/beans/XMLDecoder.java Tue Sep 11 15:59:24 2012 +0400
+++ b/jdk/src/share/classes/java/beans/XMLDecoder.java Wed Sep 19 21:42:21 2012 +0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,9 @@
import java.io.Closeable;
import java.io.InputStream;
import java.io.IOException;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import org.xml.sax.InputSource;
import org.xml.sax.helpers.DefaultHandler;
@@ -61,6 +64,7 @@
* @author Philip Milne
*/
public class XMLDecoder implements AutoCloseable {
+ private final AccessControlContext acc = AccessController.getContext();
private final DocumentHandler handler = new DocumentHandler();
private final InputSource input;
private Object owner;
@@ -189,7 +193,15 @@
return false;
}
if (this.array == null) {
- this.handler.parse(this.input);
+ if ((this.acc == null) && (null != System.getSecurityManager())) {
+ throw new SecurityException("AccessControlContext is not set");
+ }
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
+ public Void run() {
+ XMLDecoder.this.handler.parse(XMLDecoder.this.input);
+ return null;
+ }
+ }, this.acc);
this.array = this.handler.getObjects();
}
return true;