moparisthebest/poi
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Wrap more security related reflection in AccessController

Browse Source 
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1713356 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Uwe Schindler 2015-11-09 09:32:37 +00:00
parent 8c3cd70589
commit ce66e14b5a
1 changed files with 27 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/SignatureFacet.java
View File

@ -26,8 +26,10 @@ package org.apache.poi.poifs.crypt.dsig.facets;
import java.lang.reflect.Field; import java.lang.reflect.Field;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.security.MessageDigest; import java.security.MessageDigest;
import java.security.PrivilegedAction;
import java.security.Provider; import java.security.Provider;
import java.security.Security; import java.security.Security;
import java.util.List; import java.util.List;
@ -50,6 +52,7 @@ import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
import org.apache.poi.poifs.crypt.dsig.SignatureConfig.SignatureConfigurable; import org.apache.poi.poifs.crypt.dsig.SignatureConfig.SignatureConfigurable;
import org.apache.poi.util.POILogFactory; import org.apache.poi.util.POILogFactory;
import org.apache.poi.util.POILogger; import org.apache.poi.util.POILogger;
import org.apache.poi.util.SuppressForbidden;
import org.w3c.dom.Document; import org.w3c.dom.Document;
/** /**
@ -156,14 +159,18 @@ public abstract class SignatureFacet implements SignatureConfigurable {
} }
// helper method ... will be removed soon // helper method ... will be removed soon
public static void brokenJvmWorkaround(Reference reference) { public static void brokenJvmWorkaround(final Reference reference) {
DigestMethod digestMethod = reference.getDigestMethod(); final DigestMethod digestMethod = reference.getDigestMethod();
String digestMethodUri = digestMethod.getAlgorithm(); final String digestMethodUri = digestMethod.getAlgorithm();
final Provider bcProv = Security.getProvider("BC");
if (bcProv != null && !DigestMethod.SHA1.equals(digestMethodUri)) {
// workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012 // workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012
// overwrite standard message digest, if a digest <> SHA1 is used // overwrite standard message digest, if a digest <> SHA1 is used
Provider bcProv = Security.getProvider("BC"); AccessController.doPrivileged(new PrivilegedAction<Void>() {
if (bcProv != null && !DigestMethod.SHA1.equals(digestMethodUri)) { @Override
@SuppressForbidden("Workaround for a bug, needs access to private JDK members (may fail in Java 9): https://bugzilla.redhat.com/show_bug.cgi?id=1155012")
public Void run() {
try { try {
Method m = DOMDigestMethod.class.getDeclaredMethod("getMessageDigestAlgorithm"); Method m = DOMDigestMethod.class.getDeclaredMethod("getMessageDigestAlgorithm");
m.setAccessible(true); m.setAccessible(true);
@ -175,6 +182,9 @@ public abstract class SignatureFacet implements SignatureConfigurable {
} catch (Exception e) { } catch (Exception e) {
LOG.log(POILogger.WARN, "Can't overwrite message digest (workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012)", e); LOG.log(POILogger.WARN, "Can't overwrite message digest (workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1155012)", e);
} }
return null; // Void
}
});
} }
} }
} }