xalan-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From zong...@apache.org
Subject cvs commit: xml-xalan/java/src/org/apache/xml/serializer SecuritySupport.java SecuritySupport12.java Encodings.java
Date Thu, 09 Oct 2003 00:41:55 GMT
zongaro     2003/10/08 17:41:55

  Modified:    java/src/org/apache/xml/serializer Encodings.java
  Added:       java/src/org/apache/xml/serializer SecuritySupport.java
                        SecuritySupport12.java
  Log:
  Propagated SecuritySupport and SecuritySupport12 classes to serializer package.
  Code in Encoding that uses Class.getResource should instead use
  SecuritySupport.getResourceAsStream.
  
  Reviewed by Christine Li (jycli@ca.ibm.com)
  
  Revision  Changes    Path
  1.4       +20 -16    xml-xalan/java/src/org/apache/xml/serializer/Encodings.java
  
  Index: Encodings.java
  ===================================================================
  RCS file: /home/cvs/xml-xalan/java/src/org/apache/xml/serializer/Encodings.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- Encodings.java	14 Aug 2003 16:27:42 -0000	1.3
  +++ Encodings.java	9 Oct 2003 00:41:54 -0000	1.4
  @@ -68,6 +68,8 @@
   import java.util.Properties;
   import java.util.StringTokenizer;
   
  +import org.apache.xml.utils.ObjectFactory;
  +
   /**
    * Provides information about encodings. Depends on the Java runtime
    * to provides writers for the different encodings, but can be used
  @@ -89,7 +91,7 @@
       /**
        * Standard filename for properties file with encodings data.
        */
  -    static final String ENCODINGS_FILE = "Encodings.properties";
  +    static final String ENCODINGS_FILE = "org/apache/xml/serializer/Encodings.properties";
   
       /**
        * Standard filename for properties file with encodings data.
  @@ -350,6 +352,8 @@
           try
           {
               String urlString = null;
  +            InputStream is = null;
  +
               try
               {
                   urlString = System.getProperty(ENCODINGS_PROP, "");
  @@ -358,26 +362,26 @@
               {
               }
   
  -            if (urlString != null && urlString.length() > 0)
  +            if (urlString != null && urlString.length() > 0) {
                   url = new URL(urlString);
  -            if (url == null)
  -            {
  -                url = Encodings.class.getResource(ENCODINGS_FILE);
  +                is = url.openStream();
  +            }
  +
  +            if (is == null) {
  +                SecuritySupport ss = SecuritySupport.getInstance();
  +                is = ss.getResourceAsStream(ObjectFactory.findClassLoader(),
  +                                            ENCODINGS_FILE);
               }
   
               Properties props = new Properties();
  -            if (url != null)
  -            {
  -                InputStream is = url.openStream();
  +            if (is != null) {
                   props.load(is);
                   is.close();
  -            }
  -            else
  -            {
  -                // Seems to be no real need to force failure here, let the system
  -                //   do its best... The issue is not really very critical, and the
  -                //   output will be in any case _correct_ though maybe not always
  -                //   human-friendly... :)
  +            } else {
  +                // Seems to be no real need to force failure here, let the
  +                // system do its best... The issue is not really very critical,
  +                // and the output will be in any case _correct_ though maybe not
  +                // always human-friendly... :)
                   // But maybe report/log the resource problem?
                   // Any standard ways to report/log errors (in static context)?
               }
  
  
  
  1.1                  xml-xalan/java/src/org/apache/xml/serializer/SecuritySupport.java
  
  Index: SecuritySupport.java
  ===================================================================
  /*
   * The Apache Software License, Version 1.1
   *
   *
   * Copyright (c) 2002,2003 The Apache Software Foundation.  All rights 
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *    notice, this list of conditions and the following disclaimer. 
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *    notice, this list of conditions and the following disclaimer in
   *    the documentation and/or other materials provided with the
   *    distribution.
   *
   * 3. The end-user documentation included with the redistribution,
   *    if any, must include the following acknowledgment:  
   *       "This product includes software developed by the
   *        Apache Software Foundation (http://www.apache.org/)."
   *    Alternately, this acknowledgment may appear in the software itself,
   *    if and wherever such third-party acknowledgments normally appear.
   *
   * 4. The name "Apache Software Foundation" must not be used to endorse or
   *    promote products derived from this software without prior written
   *    permission. For written permission, please contact apache@apache.org.
   *
   * 5. Products derived from this software may not be called "Apache",
   *    nor may "Apache" appear in their name, without prior written
   *    permission of the Apache Software Foundation.
   *
   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
   * ====================================================================
   *
   * This software consists of voluntary contributions made by many
   * individuals on behalf of the Apache Software Foundation and was
   * originally based on software copyright (c) 1999-2002, Sun Microsystems,
   * Inc., http://www.sun.com.  For more information on the Apache Software
   * Foundation, please see <http://www.apache.org/>.
   */
  
  package org.apache.xml.serializer;
  
  import java.io.File;
  import java.io.FileInputStream;
  import java.io.FileNotFoundException;
  import java.io.InputStream;
  
  import java.util.Properties;
  
  /**
   * This class is duplicated for each Xalan-Java subpackage so keep it in sync.
   * It is package private and therefore is not exposed as part of the Xalan-Java
   * API.
   *
   * Base class with security related methods that work on JDK 1.1.
   */
  class SecuritySupport {
  
      /*
       * Make this of type Object so that the verifier won't try to
       * prove its type, thus possibly trying to load the SecuritySupport12
       * class.
       */
      private static final Object securitySupport;
  
      static {
  	SecuritySupport ss = null;
  	try {
  	    Class c = Class.forName("java.security.AccessController");
  	    // if that worked, we're on 1.2.
  	    /*
  	    // don't reference the class explicitly so it doesn't
  	    // get dragged in accidentally.
  	    c = Class.forName("javax.mail.SecuritySupport12");
  	    Constructor cons = c.getConstructor(new Class[] { });
  	    ss = (SecuritySupport)cons.newInstance(new Object[] { });
  	    */
  	    /*
  	     * Unfortunately, we can't load the class using reflection
  	     * because the class is package private.  And the class has
  	     * to be package private so the APIs aren't exposed to other
  	     * code that could use them to circumvent security.  Thus,
  	     * we accept the risk that the direct reference might fail
  	     * on some JDK 1.1 JVMs, even though we would never execute
  	     * this code in such a case.  Sigh...
  	     */
  	    ss = new SecuritySupport12();
  	} catch (Exception ex) {
  	    // ignore it
  	} finally {
  	    if (ss == null)
  		ss = new SecuritySupport();
  	    securitySupport = ss;
  	}
      }
  
      /**
       * Return an appropriate instance of this class, depending on whether
       * we're on a JDK 1.1 or J2SE 1.2 (or later) system.
       */
      public static SecuritySupport getInstance() {
  	return (SecuritySupport)securitySupport;
      }
  
      public ClassLoader getContextClassLoader() {
  	return null;
      }
  
      public ClassLoader getSystemClassLoader() {
          return null;
      }
  
      public ClassLoader getParentClassLoader(ClassLoader cl) {
          return null;
      }
  
      public String getSystemProperty(String propName) {
          return System.getProperty(propName);
      }
  
      public FileInputStream getFileInputStream(File file)
          throws FileNotFoundException
      {
          return new FileInputStream(file);
      }
  
      public InputStream getResourceAsStream(ClassLoader cl, String name) {
          InputStream ris;
          if (cl == null) {
              ris = ClassLoader.getSystemResourceAsStream(name);
          } else {
              ris = cl.getResourceAsStream(name);
          }
          return ris;
      }
      
      public boolean getFileExists(File f) {
          return f.exists();
      }
      
      public long getLastModified(File f) {
          return f.lastModified();
      }    
  }
  
  
  
  1.1                  xml-xalan/java/src/org/apache/xml/serializer/SecuritySupport12.java
  
  Index: SecuritySupport12.java
  ===================================================================
  /*
   * The Apache Software License, Version 1.1
   *
   *
   * Copyright (c) 2002,2003 The Apache Software Foundation.  All rights 
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *    notice, this list of conditions and the following disclaimer. 
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *    notice, this list of conditions and the following disclaimer in
   *    the documentation and/or other materials provided with the
   *    distribution.
   *
   * 3. The end-user documentation included with the redistribution,
   *    if any, must include the following acknowledgment:  
   *       "This product includes software developed by the
   *        Apache Software Foundation (http://www.apache.org/)."
   *    Alternately, this acknowledgment may appear in the software itself,
   *    if and wherever such third-party acknowledgments normally appear.
   *
   * 4. The name "Apache Software Foundation" must not be used to endorse or
   *    promote products derived from this software without prior written
   *    permission. For written permission, please contact apache@apache.org.
   *
   * 5. Products derived from this software may not be called "Apache",
   *    nor may "Apache" appear in their name, without prior written
   *    permission of the Apache Software Foundation.
   *
   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
   * ====================================================================
   *
   * This software consists of voluntary contributions made by many
   * individuals on behalf of the Apache Software Foundation and was
   * originally based on software copyright (c) 1999-2002, Sun Microsystems,
   * Inc., http://www.sun.com.  For more information on the Apache Software
   * Foundation, please see <http://www.apache.org/>.
   */
  
  package org.apache.xml.serializer;
  
  import java.io.File;
  import java.io.FileInputStream;
  import java.io.FileNotFoundException;
  import java.io.InputStream;
  
  import java.security.AccessController;
  import java.security.PrivilegedAction;
  import java.security.PrivilegedActionException;
  import java.security.PrivilegedExceptionAction;
  
  import java.util.Properties;
  
  /**
   * This class is duplicated for each Xalan-Java subpackage so keep it in sync.
   * It is package private and therefore is not exposed as part of the Xalan-Java
   * API.
   *
   * Security related methods that only work on J2SE 1.2 and newer.
   */
  class SecuritySupport12 extends SecuritySupport {
  
      public ClassLoader getContextClassLoader() {
          return (ClassLoader)
                  AccessController.doPrivileged(new PrivilegedAction() {
              public Object run() {
                  ClassLoader cl = null;
                  try {
                      cl = Thread.currentThread().getContextClassLoader();
                  } catch (SecurityException ex) { }
                  return cl;
              }
          });
      }
  
      public ClassLoader getSystemClassLoader() {
          return (ClassLoader)
              AccessController.doPrivileged(new PrivilegedAction() {
                  public Object run() {
                      ClassLoader cl = null;
                      try {
                          cl = ClassLoader.getSystemClassLoader();
                      } catch (SecurityException ex) {}
                      return cl;
                  }
              });
      }
  
      public ClassLoader getParentClassLoader(final ClassLoader cl) {
          return (ClassLoader)
              AccessController.doPrivileged(new PrivilegedAction() {
                  public Object run() {
                      ClassLoader parent = null;
                      try {
                          parent = cl.getParent();
                      } catch (SecurityException ex) {}
  
                      // eliminate loops in case of the boot
                      // ClassLoader returning itself as a parent
                      return (parent == cl) ? null : parent;
                  }
              });
      }
  
      public String getSystemProperty(final String propName) {
          return (String)
              AccessController.doPrivileged(new PrivilegedAction() {
                  public Object run() {
                      return System.getProperty(propName);
                  }
              });
      }
  
      public FileInputStream getFileInputStream(final File file)
          throws FileNotFoundException
      {
          try {
              return (FileInputStream)
                  AccessController.doPrivileged(new PrivilegedExceptionAction() {
                      public Object run() throws FileNotFoundException {
                          return new FileInputStream(file);
                      }
                  });
          } catch (PrivilegedActionException e) {
              throw (FileNotFoundException)e.getException();
          }
      }
  
      public InputStream getResourceAsStream(final ClassLoader cl,
                                             final String name)
      {
          return (InputStream)
              AccessController.doPrivileged(new PrivilegedAction() {
                  public Object run() {
                      InputStream ris;
                      if (cl == null) {
                          ris = ClassLoader.getSystemResourceAsStream(name);
                      } else {
                          ris = cl.getResourceAsStream(name);
                      }
                      return ris;
                  }
              });
      }
      
      public boolean getFileExists(final File f) {
      return ((Boolean)
              AccessController.doPrivileged(new PrivilegedAction() {
                  public Object run() {
                      return new Boolean(f.exists());
                  }
              })).booleanValue();
      }
      
      public long getLastModified(final File f) {
      return ((Long)
              AccessController.doPrivileged(new PrivilegedAction() {
                  public Object run() {
                      return new Long(f.lastModified());
                  }
              })).longValue();
      }
          
  }
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-cvs-unsubscribe@xml.apache.org
For additional commands, e-mail: xalan-cvs-help@xml.apache.org


Mime
View raw message