OPENJPA-2672: ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException vulnerability

git-svn-id: https://svn.apache.org/repos/asf/openjpa/trunk@1764316 13f79535-47bb-0310-9956-ffa450edef68
2016-10-11 18:30:19 +00:00 · 2016-10-11 18:30:19 +00:00 · be71987b9c
parent a99daf8f47
commit be71987b9c
1 changed files with 8 additions and 3 deletions
--- a/openjpa-lib/src/main/java/org/apache/openjpa/lib/conf/ConfigurationImpl.java
+++ b/openjpa-lib/src/main/java/org/apache/openjpa/lib/conf/ConfigurationImpl.java
@ -187,9 +187,14 @@ public class ConfigurationImpl

        // let system properties override other globals
        try {
-            fromProperties(new HashMap(
-                AccessController.doPrivileged(
-                    J2DoPrivHelper.getPropertiesAction())));
+            Properties systemProperties = AccessController.doPrivileged(
+                    J2DoPrivHelper.getPropertiesAction());
+            HashMap sysPropHM = null;
+            synchronized(systemProperties) {
+                // Prevent concurrent modification of systemProperties until HashMap ctor is completed.
+                sysPropHM = new HashMap(systemProperties);
+            }
+            fromProperties(sysPropHM);
        } catch (SecurityException se) {
            // security manager might disallow
        }