7195917: XMLDecoder parsing at close-time should be improved

Reviewed-by: art, ahgross
2012-09-19 21:42:21 +04:00 · 2012-09-19 21:42:21 +04:00 · 1a3e1b43e0
commit 1a3e1b43e0
parent 41e85e364f
2 changed files with 48 additions and 23 deletions
--- a/jdk/src/share/classes/com/sun/beans/decoder/DocumentHandler.java
+++ b/jdk/src/share/classes/com/sun/beans/decoder/DocumentHandler.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -37,6 +37,9 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;

 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
@ -46,6 +49,8 @@ import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.helpers.DefaultHandler;

+import sun.misc.SharedSecrets;
+
 /**
 * The main class to parse JavaBeans XML archive.
 *
@ -56,11 +61,10 @@ import org.xml.sax.helpers.DefaultHandler;
 * @see ElementHandler
 */
 public final class DocumentHandler extends DefaultHandler {
-    private final Map<String, Class<? extends ElementHandler>> handlers = new HashMap<String, Class<? extends ElementHandler>>();
-
-    private final Map<String, Object> environment = new HashMap<String, Object>();
-
-    private final List<Object> objects = new ArrayList<Object>();
+    private final AccessControlContext acc = AccessController.getContext();
+    private final Map<String, Class<? extends ElementHandler>> handlers = new HashMap<>();
+    private final Map<String, Object> environment = new HashMap<>();
+    private final List<Object> objects = new ArrayList<>();

    private Reference<ClassLoader> loader;
    private ExceptionListener listener;
@ -351,23 +355,32 @@ public final class DocumentHandler extends DefaultHandler {
     *
     * @param input  the input source to parse
     */
-    public void parse(InputSource input) {
-        try {
-            SAXParserFactory.newInstance().newSAXParser().parse(input, this);
+    public void parse(final InputSource input) {
+        if ((this.acc == null) && (null != System.getSecurityManager())) {
+            throw new SecurityException("AccessControlContext is not set");
        }
-        catch (ParserConfigurationException exception) {
-            handleException(exception);
-        }
-        catch (SAXException wrapper) {
-            Exception exception = wrapper.getException();
-            if (exception == null) {
-                exception = wrapper;
+        AccessControlContext stack = AccessController.getContext();
+        SharedSecrets.getJavaSecurityAccess().doIntersectionPrivilege(new PrivilegedAction<Void>() {
+            public Void run() {
+                try {
+                    SAXParserFactory.newInstance().newSAXParser().parse(input, DocumentHandler.this);
+                }
+                catch (ParserConfigurationException exception) {
+                    handleException(exception);
+                }
+                catch (SAXException wrapper) {
+                    Exception exception = wrapper.getException();
+                    if (exception == null) {
+                        exception = wrapper;
+                    }
+                    handleException(exception);
+                }
+                catch (IOException exception) {
+                    handleException(exception);
+                }
+                return null;
            }
-            handleException(exception);
-        }
-        catch (IOException exception) {
-            handleException(exception);
-        }
+        }, stack, this.acc);
    }

    /**
--- a/jdk/src/share/classes/java/beans/XMLDecoder.java
+++ b/jdk/src/share/classes/java/beans/XMLDecoder.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -29,6 +29,9 @@ import com.sun.beans.decoder.DocumentHandler;
 import java.io.Closeable;
 import java.io.InputStream;
 import java.io.IOException;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;

 import org.xml.sax.InputSource;
 import org.xml.sax.helpers.DefaultHandler;
@ -61,6 +64,7 @@ import org.xml.sax.helpers.DefaultHandler;
 * @author Philip Milne
 */
 public class XMLDecoder implements AutoCloseable {
+    private final AccessControlContext acc = AccessController.getContext();
    private final DocumentHandler handler = new DocumentHandler();
    private final InputSource input;
    private Object owner;
@ -189,7 +193,15 @@ public class XMLDecoder implements AutoCloseable {
            return false;
        }
        if (this.array == null) {
-            this.handler.parse(this.input);
+            if ((this.acc == null) && (null != System.getSecurityManager())) {
+                throw new SecurityException("AccessControlContext is not set");
+            }
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                public Void run() {
+                    XMLDecoder.this.handler.parse(XMLDecoder.this.input);
+                    return null;
+                }
+            }, this.acc);
            this.array = this.handler.getObjects();
        }
        return true;