Apache
/
poi
mirror of https://github.com/apache/poi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

#58597: Add more AccessController.doPrivileged. We should fix them later! 

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1713813 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Uwe Schindler 2015-11-11 11:36:44 +00:00
parent d8597d7fb7
commit d929ea3aae
2 changed files with 37 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/ooxml/java/org/apache/poi/openxml4j/util/ZipSecureFile.java
View File

@ -23,6 +23,8 @@ import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.PushbackInputStream; import java.io.PushbackInputStream;
import java.lang.reflect.Field; import java.lang.reflect.Field;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.zip.InflaterInputStream; import java.util.zip.InflaterInputStream;
import java.util.zip.ZipEntry; import java.util.zip.ZipEntry;
import java.util.zip.ZipException; import java.util.zip.ZipException;
@ -31,6 +33,7 @@ import java.util.zip.ZipInputStream;
import org.apache.poi.util.POILogFactory; import org.apache.poi.util.POILogFactory;
import org.apache.poi.util.POILogger; import org.apache.poi.util.POILogger;
import org.apache.poi.util.SuppressForbidden;
/** /**
* This class wraps a {@link ZipFile} in order to check the * This class wraps a {@link ZipFile} in order to check the
@ -163,10 +166,14 @@ public class ZipSecureFile extends ZipFile {
return addThreshold(zipIS); return addThreshold(zipIS);
} }
@SuppressWarnings("resource") public static ThresholdInputStream addThreshold(final InputStream zipIS) throws IOException {
public static ThresholdInputStream addThreshold(InputStream zipIS) throws IOException {
ThresholdInputStream newInner; ThresholdInputStream newInner;
if (zipIS instanceof InflaterInputStream) { if (zipIS instanceof InflaterInputStream) {
newInner = AccessController.doPrivileged(new PrivilegedAction<ThresholdInputStream>() {
@SuppressForbidden("TODO: Fix this to not use reflection (it will break in Java 9)! " +
"Better would be to wrap *before* instead of tyring to insert wrapper afterwards.")
public ThresholdInputStream run() {
ThresholdInputStream newInner = null;
try { try {
Field f = FilterInputStream.class.getDeclaredField("in"); Field f = FilterInputStream.class.getDeclaredField("in");
f.setAccessible(true); f.setAccessible(true);
@ -177,6 +184,9 @@ public class ZipSecureFile extends ZipFile {
logger.log(POILogger.WARN, "SecurityManager doesn't allow manipulation via reflection for zipbomb detection - continue with original input stream", ex); logger.log(POILogger.WARN, "SecurityManager doesn't allow manipulation via reflection for zipbomb detection - continue with original input stream", ex);
newInner = null; newInner = null;
} }
return newInner;
}
});
} else { } else {
// the inner stream is a ZipFileInputStream, i.e. the data wasn't compressed // the inner stream is a ZipFileInputStream, i.e. the data wasn't compressed
newInner = null; newInner = null;

14
src/ooxml/java/org/apache/poi/util/OOXMLLite.java
View File

@ -25,7 +25,9 @@ import java.io.OutputStream;
import java.lang.reflect.Field; import java.lang.reflect.Field;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.net.URL; import java.net.URL;
import java.security.AccessController;
import java.security.CodeSource; import java.security.CodeSource;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain; import java.security.ProtectionDomain;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Enumeration; import java.util.Enumeration;
@ -49,7 +51,6 @@ import org.junit.runner.JUnitCore;import org.junit.runner.Result;
* @author Yegor Kozlov * @author Yegor Kozlov
*/ */
public final class OOXMLLite { public final class OOXMLLite {
private static Field _classes;
/** /**
* Destination directory to copy filtered classes * Destination directory to copy filtered classes
@ -214,13 +215,20 @@ public final class OOXMLLite {
// make the field accessible, we defer this from static initialization to here to // make the field accessible, we defer this from static initialization to here to
// allow JDKs which do not have this field (e.g. IBM JDK) to at least load the class // allow JDKs which do not have this field (e.g. IBM JDK) to at least load the class
// without failing, see https://issues.apache.org/bugzilla/show_bug.cgi?id=56550 // without failing, see https://issues.apache.org/bugzilla/show_bug.cgi?id=56550
final Field _classes = AccessController.doPrivileged(new PrivilegedAction<Field>() {
@SuppressForbidden("TODO: Reflection works until Java 8 on Oracle/Sun JDKs, but breaks afterwards (different classloader types, access checks)")
public Field run() {
try { try {
_classes = ClassLoader.class.getDeclaredField("classes"); Field fld = ClassLoader.class.getDeclaredField("classes");
_classes.setAccessible(true); fld.setAccessible(true);
return fld;
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
}
});
ClassLoader appLoader = ClassLoader.getSystemClassLoader(); ClassLoader appLoader = ClassLoader.getSystemClassLoader();
try { try {
Vector<Class<?>> classes = (Vector<Class<?>>) _classes.get(appLoader); Vector<Class<?>> classes = (Vector<Class<?>>) _classes.get(appLoader);