incubator-bval-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dwo...@apache.org
Subject svn commit: r1036603 - in /incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303: DefaultMessageInterpolator.java Jsr303MetaBeanFactory.java util/SecureActions.java
Date Thu, 18 Nov 2010 20:16:44 GMT
Author: dwoods
Date: Thu Nov 18 20:16:44 2010
New Revision: 1036603

URL: http://svn.apache.org/viewvc?rev=1036603&view=rev
Log:
BVAL-87 Java 2 security violations in ClassValidator.validate.  Patch contributed by Albert
Lee.

Modified:
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultMessageInterpolator.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/Jsr303MetaBeanFactory.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/SecureActions.java

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultMessageInterpolator.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultMessageInterpolator.java?rev=1036603&r1=1036602&r2=1036603&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultMessageInterpolator.java
(original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultMessageInterpolator.java
Thu Nov 18 20:16:44 2010
@@ -16,6 +16,7 @@
  */
 package org.apache.bval.jsr303;
 
+import org.apache.bval.jsr303.util.SecureActions;
 import org.apache.commons.lang.ArrayUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -160,13 +161,13 @@ public class DefaultMessageInterpolator 
      */
     private ResourceBundle getFileBasedResourceBundle(Locale locale) {
         ResourceBundle rb = null;
-        ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
+        final ClassLoader classLoader = SecureActions.getContextClassLoader(Thread.currentThread());
         if (classLoader != null) {
             rb = loadBundle(classLoader, locale,
                   USER_VALIDATION_MESSAGES + " not found by thread local classloader");
         }
         if (rb == null) {
-            rb = loadBundle(this.getClass().getClassLoader(), locale,
+            rb = loadBundle(SecureActions.getClassLoader(this.getClass()), locale,
                   USER_VALIDATION_MESSAGES + " not found by validator classloader");
         }
         if (rb != null) {

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/Jsr303MetaBeanFactory.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/Jsr303MetaBeanFactory.java?rev=1036603&r1=1036602&r2=1036603&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/Jsr303MetaBeanFactory.java
(original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/Jsr303MetaBeanFactory.java
Thu Nov 18 20:16:44 2010
@@ -126,7 +126,7 @@ public class Jsr303MetaBeanFactory imple
                   new AppendValidationToMeta(metabean));
         }
 
-        Field[] fields = beanClass.getDeclaredFields();
+        final Field[] fields = SecureActions.getDeclaredFields(beanClass);
         for (Field field : fields) {
             MetaProperty metaProperty = metabean.getProperty(field.getName());
             // create a property for those fields for which there is not yet a MetaProperty
@@ -144,7 +144,7 @@ public class Jsr303MetaBeanFactory imple
                 }
             }
         }
-        Method[] methods = beanClass.getDeclaredMethods();
+        final Method[] methods = SecureActions.getDeclaredMethods(beanClass);
         for (Method method : methods) {
 
             String propName = null;

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/SecureActions.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/SecureActions.java?rev=1036603&r1=1036602&r2=1036603&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/SecureActions.java
(original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/SecureActions.java
Thu Nov 18 20:16:44 2010
@@ -105,6 +105,23 @@ public class SecureActions extends Privi
         });
     }
 
+    /**
+     * Get all fields declared on a given class.
+     * @param clazz
+     * @return Field found
+     */
+    public static Field[] getDeclaredFields(final Class<?> clazz) {
+        return run(new PrivilegedAction<Field[]>() {
+            public Field[] run() {
+                Field[] fs = clazz.getDeclaredFields();
+                for( Field f : fs ) {
+                    setAccessibility(f);
+                }
+                return fs;
+            }
+        });
+    }
+
     private static void setAccessibility(Field field) {
         if (!Modifier.isPublic(field.getModifiers()) || (
               Modifier.isPublic(field.getModifiers()) &&
@@ -170,6 +187,32 @@ public class SecureActions extends Privi
     }
 
     /**
+     * Get class loader of <code>clazz</code>.
+     * @param clazz
+     * @return {@link ClassLoader}
+     */
+    public static ClassLoader getClassLoader(final Class<?> clazz) {
+        return run(new PrivilegedAction<ClassLoader>() {
+            public ClassLoader run() {
+                return clazz.getClassLoader();
+            }
+        });
+    }
+
+    /**
+     * Get context class loader of <code>thread</code>.
+     * @param thread
+     * @return {@link ClassLoader}
+     */
+    public static ClassLoader getContextClassLoader(final Thread thread) {
+        return run(new PrivilegedAction<ClassLoader>() {
+            public ClassLoader run() {
+                return thread.getContextClassLoader();
+            }
+        });
+    }
+
+    /**
      * Get the constructor of <code>clazz</code> matching <code>params</code>.
      * @param <T>
      * @param clazz



Mime
View raw message