changeset 6523:3b49bd3c392b

7195917: XMLDecoder parsing at close-time should be improved Reviewed-by: art, ahgross
author malenkov
date Wed, 19 Sep 2012 21:42:21 +0400
parents 1d1fcf0c1ce8
children 762eee5e6e16
files src/share/classes/com/sun/beans/decoder/DocumentHandler.java src/share/classes/java/beans/XMLDecoder.java
diffstat 2 files changed, 48 insertions(+), 23 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/com/sun/beans/decoder/DocumentHandler.java	Tue Sep 11 15:59:24 2012 +0400
+++ b/src/share/classes/com/sun/beans/decoder/DocumentHandler.java	Wed Sep 19 21:42:21 2012 +0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,9 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
@@ -46,6 +49,8 @@
 import org.xml.sax.SAXException;
 import org.xml.sax.helpers.DefaultHandler;
 
+import sun.misc.SharedSecrets;
+
 /**
  * The main class to parse JavaBeans XML archive.
  *
@@ -56,11 +61,10 @@
  * @see ElementHandler
  */
 public final class DocumentHandler extends DefaultHandler {
-    private final Map<String, Class<? extends ElementHandler>> handlers = new HashMap<String, Class<? extends ElementHandler>>();
-
-    private final Map<String, Object> environment = new HashMap<String, Object>();
-
-    private final List<Object> objects = new ArrayList<Object>();
+    private final AccessControlContext acc = AccessController.getContext();
+    private final Map<String, Class<? extends ElementHandler>> handlers = new HashMap<>();
+    private final Map<String, Object> environment = new HashMap<>();
+    private final List<Object> objects = new ArrayList<>();
 
     private Reference<ClassLoader> loader;
     private ExceptionListener listener;
@@ -351,23 +355,32 @@
      *
      * @param input  the input source to parse
      */
-    public void parse(InputSource input) {
-        try {
-            SAXParserFactory.newInstance().newSAXParser().parse(input, this);
+    public void parse(final InputSource input) {
+        if ((this.acc == null) && (null != System.getSecurityManager())) {
+            throw new SecurityException("AccessControlContext is not set");
         }
-        catch (ParserConfigurationException exception) {
-            handleException(exception);
-        }
-        catch (SAXException wrapper) {
-            Exception exception = wrapper.getException();
-            if (exception == null) {
-                exception = wrapper;
+        AccessControlContext stack = AccessController.getContext();
+        SharedSecrets.getJavaSecurityAccess().doIntersectionPrivilege(new PrivilegedAction<Void>() {
+            public Void run() {
+                try {
+                    SAXParserFactory.newInstance().newSAXParser().parse(input, DocumentHandler.this);
+                }
+                catch (ParserConfigurationException exception) {
+                    handleException(exception);
+                }
+                catch (SAXException wrapper) {
+                    Exception exception = wrapper.getException();
+                    if (exception == null) {
+                        exception = wrapper;
+                    }
+                    handleException(exception);
+                }
+                catch (IOException exception) {
+                    handleException(exception);
+                }
+                return null;
             }
-            handleException(exception);
-        }
-        catch (IOException exception) {
-            handleException(exception);
-        }
+        }, stack, this.acc);
     }
 
     /**
--- a/src/share/classes/java/beans/XMLDecoder.java	Tue Sep 11 15:59:24 2012 +0400
+++ b/src/share/classes/java/beans/XMLDecoder.java	Wed Sep 19 21:42:21 2012 +0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,9 @@
 import java.io.Closeable;
 import java.io.InputStream;
 import java.io.IOException;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 import org.xml.sax.InputSource;
 import org.xml.sax.helpers.DefaultHandler;
@@ -61,6 +64,7 @@
  * @author Philip Milne
  */
 public class XMLDecoder implements AutoCloseable {
+    private final AccessControlContext acc = AccessController.getContext();
     private final DocumentHandler handler = new DocumentHandler();
     private final InputSource input;
     private Object owner;
@@ -189,7 +193,15 @@
             return false;
         }
         if (this.array == null) {
-            this.handler.parse(this.input);
+            if ((this.acc == null) && (null != System.getSecurityManager())) {
+                throw new SecurityException("AccessControlContext is not set");
+            }
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                public Void run() {
+                    XMLDecoder.this.handler.parse(XMLDecoder.this.input);
+                    return null;
+                }
+            }, this.acc);
             this.array = this.handler.getObjects();
         }
         return true;