#58597: Add more AccessController.doPrivileged. We should fix them later!
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1713813 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
b62cc549fe
commit
da19b14670
@ -23,6 +23,8 @@ import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.PushbackInputStream;
|
||||
import java.lang.reflect.Field;
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.util.zip.InflaterInputStream;
|
||||
import java.util.zip.ZipEntry;
|
||||
import java.util.zip.ZipException;
|
||||
@ -31,6 +33,7 @@ import java.util.zip.ZipInputStream;
|
||||
|
||||
import org.apache.poi.util.POILogFactory;
|
||||
import org.apache.poi.util.POILogger;
|
||||
import org.apache.poi.util.SuppressForbidden;
|
||||
|
||||
/**
|
||||
* This class wraps a {@link ZipFile} in order to check the
|
||||
@ -163,10 +166,14 @@ public class ZipSecureFile extends ZipFile {
|
||||
return addThreshold(zipIS);
|
||||
}
|
||||
|
||||
@SuppressWarnings("resource")
|
||||
public static ThresholdInputStream addThreshold(InputStream zipIS) throws IOException {
|
||||
public static ThresholdInputStream addThreshold(final InputStream zipIS) throws IOException {
|
||||
ThresholdInputStream newInner;
|
||||
if (zipIS instanceof InflaterInputStream) {
|
||||
newInner = AccessController.doPrivileged(new PrivilegedAction<ThresholdInputStream>() {
|
||||
@SuppressForbidden("TODO: Fix this to not use reflection (it will break in Java 9)! " +
|
||||
"Better would be to wrap *before* instead of tyring to insert wrapper afterwards.")
|
||||
public ThresholdInputStream run() {
|
||||
ThresholdInputStream newInner = null;
|
||||
try {
|
||||
Field f = FilterInputStream.class.getDeclaredField("in");
|
||||
f.setAccessible(true);
|
||||
@ -177,6 +184,9 @@ public class ZipSecureFile extends ZipFile {
|
||||
logger.log(POILogger.WARN, "SecurityManager doesn't allow manipulation via reflection for zipbomb detection - continue with original input stream", ex);
|
||||
newInner = null;
|
||||
}
|
||||
return newInner;
|
||||
}
|
||||
});
|
||||
} else {
|
||||
// the inner stream is a ZipFileInputStream, i.e. the data wasn't compressed
|
||||
newInner = null;
|
||||
|
@ -25,7 +25,9 @@ import java.io.OutputStream;
|
||||
import java.lang.reflect.Field;
|
||||
import java.lang.reflect.Method;
|
||||
import java.net.URL;
|
||||
import java.security.AccessController;
|
||||
import java.security.CodeSource;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.security.ProtectionDomain;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Enumeration;
|
||||
@ -49,7 +51,6 @@ import org.junit.runner.JUnitCore;import org.junit.runner.Result;
|
||||
* @author Yegor Kozlov
|
||||
*/
|
||||
public final class OOXMLLite {
|
||||
private static Field _classes;
|
||||
|
||||
/**
|
||||
* Destination directory to copy filtered classes
|
||||
@ -214,13 +215,20 @@ public final class OOXMLLite {
|
||||
// make the field accessible, we defer this from static initialization to here to
|
||||
// allow JDKs which do not have this field (e.g. IBM JDK) to at least load the class
|
||||
// without failing, see https://issues.apache.org/bugzilla/show_bug.cgi?id=56550
|
||||
final Field _classes = AccessController.doPrivileged(new PrivilegedAction<Field>() {
|
||||
@SuppressForbidden("TODO: Reflection works until Java 8 on Oracle/Sun JDKs, but breaks afterwards (different classloader types, access checks)")
|
||||
public Field run() {
|
||||
try {
|
||||
_classes = ClassLoader.class.getDeclaredField("classes");
|
||||
_classes.setAccessible(true);
|
||||
Field fld = ClassLoader.class.getDeclaredField("classes");
|
||||
fld.setAccessible(true);
|
||||
return fld;
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
|
||||
}
|
||||
});
|
||||
|
||||
ClassLoader appLoader = ClassLoader.getSystemClassLoader();
|
||||
try {
|
||||
Vector<Class<?>> classes = (Vector<Class<?>>) _classes.get(appLoader);
|
||||
|
Loading…
Reference in New Issue
Block a user