#58597: Add more AccessController.doPrivileged. We should fix them later!

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1713813 13f79535-47bb-0310-9956-ffa450edef68
2015-11-11 11:36:44 +00:00 · 2015-11-11 11:36:44 +00:00 · da19b14670
commit da19b14670
parent b62cc549fe
2 changed files with 37 additions and 19 deletions
--- a/src/ooxml/java/org/apache/poi/openxml4j/util/ZipSecureFile.java
+++ b/src/ooxml/java/org/apache/poi/openxml4j/util/ZipSecureFile.java
@ -23,6 +23,8 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.PushbackInputStream;
 import java.lang.reflect.Field;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.zip.InflaterInputStream;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipException;
@ -31,6 +33,7 @@ import java.util.zip.ZipInputStream;

 import org.apache.poi.util.POILogFactory;
 import org.apache.poi.util.POILogger;
+import org.apache.poi.util.SuppressForbidden;

 /**
 * This class wraps a {@link ZipFile} in order to check the
@ -163,20 +166,27 @@ public class ZipSecureFile extends ZipFile {
        return addThreshold(zipIS);
    }

-    @SuppressWarnings("resource")
-    public static ThresholdInputStream addThreshold(InputStream zipIS) throws IOException {
+    public static ThresholdInputStream addThreshold(final InputStream zipIS) throws IOException {
        ThresholdInputStream newInner;
        if (zipIS instanceof InflaterInputStream) {
-            try {
-                Field f = FilterInputStream.class.getDeclaredField("in");
-                f.setAccessible(true);
-                InputStream oldInner = (InputStream)f.get(zipIS);
-                newInner = new ThresholdInputStream(oldInner, null);
-                f.set(zipIS, newInner);
-            } catch (Exception ex) {
-                logger.log(POILogger.WARN, "SecurityManager doesn't allow manipulation via reflection for zipbomb detection - continue with original input stream", ex);
-                newInner = null;
-            }
+            newInner = AccessController.doPrivileged(new PrivilegedAction<ThresholdInputStream>() {
+                @SuppressForbidden("TODO: Fix this to not use reflection (it will break in Java 9)! " +
+                        "Better would be to wrap *before* instead of tyring to insert wrapper afterwards.")
+                public ThresholdInputStream run() {
+                    ThresholdInputStream newInner = null;
+                    try {
+                        Field f = FilterInputStream.class.getDeclaredField("in");
+                        f.setAccessible(true);
+                        InputStream oldInner = (InputStream)f.get(zipIS);
+                        newInner = new ThresholdInputStream(oldInner, null);
+                        f.set(zipIS, newInner);
+                    } catch (Exception ex) {
+                        logger.log(POILogger.WARN, "SecurityManager doesn't allow manipulation via reflection for zipbomb detection - continue with original input stream", ex);
+                        newInner = null;
+                    }
+                    return newInner;
+                }
+            });
        } else {
            // the inner stream is a ZipFileInputStream, i.e. the data wasn't compressed
            newInner = null;
--- a/src/ooxml/java/org/apache/poi/util/OOXMLLite.java
+++ b/src/ooxml/java/org/apache/poi/util/OOXMLLite.java
@ -25,7 +25,9 @@ import java.io.OutputStream;
 import java.lang.reflect.Field;
 import java.lang.reflect.Method;
 import java.net.URL;
+import java.security.AccessController;
 import java.security.CodeSource;
+import java.security.PrivilegedAction;
 import java.security.ProtectionDomain;
 import java.util.ArrayList;
 import java.util.Enumeration;
@ -49,7 +51,6 @@ import org.junit.runner.JUnitCore;import org.junit.runner.Result;
 * @author Yegor Kozlov
 */
 public final class OOXMLLite {
-    private static Field _classes;

    /**
     * Destination directory to copy filtered classes
@ -214,12 +215,19 @@ public final class OOXMLLite {
        // make the field accessible, we defer this from static initialization to here to 
        // allow JDKs which do not have this field (e.g. IBM JDK) to at least load the class
        // without failing, see https://issues.apache.org/bugzilla/show_bug.cgi?id=56550
-        try {
-            _classes = ClassLoader.class.getDeclaredField("classes");
-            _classes.setAccessible(true);
-        } catch (Exception e) {
-            throw new RuntimeException(e);
-        }
+        final Field _classes = AccessController.doPrivileged(new PrivilegedAction<Field>() {
+            @SuppressForbidden("TODO: Reflection works until Java 8 on Oracle/Sun JDKs, but breaks afterwards (different classloader types, access checks)")
+            public Field run() {
+                try {
+                    Field fld = ClassLoader.class.getDeclaredField("classes");
+                    fld.setAccessible(true);
+                    return fld;
+                } catch (Exception e) {
+                    throw new RuntimeException(e);
+                }
+
+            }
+        });

        ClassLoader appLoader = ClassLoader.getSystemClassLoader();
        try {