Author: mrglavas Date: Mon Feb 25 04:21:39 2013 New Revision: 1449591 URL: http://svn.apache.org/r1449591 Log: Align JAXP API factory code with ObjectFactory classes in Xerces and Xalan which make explicit calls to checkPackageAccess() before loading classes.
Modified: xerces/xml-commons/trunk/java/external/src/javax/xml/datatype/FactoryFinder.java xerces/xml-commons/trunk/java/external/src/javax/xml/parsers/FactoryFinder.java xerces/xml-commons/trunk/java/external/src/javax/xml/stream/FactoryFinder.java xerces/xml-commons/trunk/java/external/src/javax/xml/transform/FactoryFinder.java xerces/xml-commons/trunk/java/external/src/javax/xml/validation/SchemaFactoryFinder.java xerces/xml-commons/trunk/java/external/src/javax/xml/xpath/XPathFactoryFinder.java xerces/xml-commons/trunk/java/external/src/org/w3c/dom/bootstrap/DOMImplementationRegistry.java xerces/xml-commons/trunk/java/external/src/org/xml/sax/helpers/NewInstance.java Modified: xerces/xml-commons/trunk/java/external/src/javax/xml/datatype/FactoryFinder.java URL: http://svn.apache.org/viewvc/xerces/xml-commons/trunk/java/external/src/javax/xml/datatype/FactoryFinder.java?rev=1449591&r1=1449590&r2=1449591&view=diff ============================================================================== --- xerces/xml-commons/trunk/java/external/src/javax/xml/datatype/FactoryFinder.java (original) +++ xerces/xml-commons/trunk/java/external/src/javax/xml/datatype/FactoryFinder.java Mon Feb 25 04:21:39 2013 @@ -147,6 +147,16 @@ final class FactoryFinder { throws ConfigurationError { try { + // throw security exception if the calling thread is not allowed to access the package + // restrict the access to package as specified in java.security policy + SecurityManager security = System.getSecurityManager(); + if (security != null) { + final int lastDot = className.lastIndexOf('.'); + if (lastDot != -1) { + String packageName = className.substring(0, lastDot); + security.checkPackageAccess(packageName); + } + } Class spiClass; if (classLoader == null) { spiClass = Class.forName(className); Modified: xerces/xml-commons/trunk/java/external/src/javax/xml/parsers/FactoryFinder.java URL: http://svn.apache.org/viewvc/xerces/xml-commons/trunk/java/external/src/javax/xml/parsers/FactoryFinder.java?rev=1449591&r1=1449590&r2=1449591&view=diff ============================================================================== --- xerces/xml-commons/trunk/java/external/src/javax/xml/parsers/FactoryFinder.java (original) +++ xerces/xml-commons/trunk/java/external/src/javax/xml/parsers/FactoryFinder.java Mon Feb 25 04:21:39 2013 @@ -100,6 +100,16 @@ final class FactoryFinder { // assert(className != null); try { + // throw security exception if the calling thread is not allowed to access the package + // restrict the access to package as specified in java.security policy + SecurityManager security = System.getSecurityManager(); + if (security != null) { + final int lastDot = className.lastIndexOf('.'); + if (lastDot != -1) { + String packageName = className.substring(0, lastDot); + security.checkPackageAccess(packageName); + } + } Class providerClass; if (cl == null) { // If classloader is null Use the bootstrap ClassLoader. Modified: xerces/xml-commons/trunk/java/external/src/javax/xml/stream/FactoryFinder.java URL: http://svn.apache.org/viewvc/xerces/xml-commons/trunk/java/external/src/javax/xml/stream/FactoryFinder.java?rev=1449591&r1=1449590&r2=1449591&view=diff ============================================================================== --- xerces/xml-commons/trunk/java/external/src/javax/xml/stream/FactoryFinder.java (original) +++ xerces/xml-commons/trunk/java/external/src/javax/xml/stream/FactoryFinder.java Mon Feb 25 04:21:39 2013 @@ -100,6 +100,16 @@ final class FactoryFinder { // assert(className != null); try { + // throw security exception if the calling thread is not allowed to access the package + // restrict the access to package as specified in java.security policy + SecurityManager security = System.getSecurityManager(); + if (security != null) { + final int lastDot = className.lastIndexOf('.'); + if (lastDot != -1) { + String packageName = className.substring(0, lastDot); + security.checkPackageAccess(packageName); + } + } Class providerClass; if (cl == null) { // If classloader is null Use the bootstrap ClassLoader. Modified: xerces/xml-commons/trunk/java/external/src/javax/xml/transform/FactoryFinder.java URL: http://svn.apache.org/viewvc/xerces/xml-commons/trunk/java/external/src/javax/xml/transform/FactoryFinder.java?rev=1449591&r1=1449590&r2=1449591&view=diff ============================================================================== --- xerces/xml-commons/trunk/java/external/src/javax/xml/transform/FactoryFinder.java (original) +++ xerces/xml-commons/trunk/java/external/src/javax/xml/transform/FactoryFinder.java Mon Feb 25 04:21:39 2013 @@ -100,6 +100,16 @@ final class FactoryFinder { // assert(className != null); try { + // throw security exception if the calling thread is not allowed to access the package + // restrict the access to package as specified in java.security policy + SecurityManager security = System.getSecurityManager(); + if (security != null) { + final int lastDot = className.lastIndexOf('.'); + if (lastDot != -1) { + String packageName = className.substring(0, lastDot); + security.checkPackageAccess(packageName); + } + } Class providerClass; if (cl == null) { // If classloader is null Use the bootstrap ClassLoader. Modified: xerces/xml-commons/trunk/java/external/src/javax/xml/validation/SchemaFactoryFinder.java URL: http://svn.apache.org/viewvc/xerces/xml-commons/trunk/java/external/src/javax/xml/validation/SchemaFactoryFinder.java?rev=1449591&r1=1449590&r2=1449591&view=diff ============================================================================== --- xerces/xml-commons/trunk/java/external/src/javax/xml/validation/SchemaFactoryFinder.java (original) +++ xerces/xml-commons/trunk/java/external/src/javax/xml/validation/SchemaFactoryFinder.java Mon Feb 25 04:21:39 2013 @@ -298,6 +298,16 @@ final class SchemaFactoryFinder { */ SchemaFactory createInstance( String className ) { try { + // throw security exception if the calling thread is not allowed to access the package + // restrict the access to package as specified in java.security policy + SecurityManager security = System.getSecurityManager(); + if (security != null) { + final int lastDot = className.lastIndexOf('.'); + if (lastDot != -1) { + String packageName = className.substring(0, lastDot); + security.checkPackageAccess(packageName); + } + } if (debug) debugPrintln("instanciating "+className); Class clazz; if( classLoader!=null ) Modified: xerces/xml-commons/trunk/java/external/src/javax/xml/xpath/XPathFactoryFinder.java URL: http://svn.apache.org/viewvc/xerces/xml-commons/trunk/java/external/src/javax/xml/xpath/XPathFactoryFinder.java?rev=1449591&r1=1449590&r2=1449591&view=diff ============================================================================== --- xerces/xml-commons/trunk/java/external/src/javax/xml/xpath/XPathFactoryFinder.java (original) +++ xerces/xml-commons/trunk/java/external/src/javax/xml/xpath/XPathFactoryFinder.java Mon Feb 25 04:21:39 2013 @@ -268,6 +268,16 @@ final class XPathFactoryFinder { */ XPathFactory createInstance( String className ) { try { + // throw security exception if the calling thread is not allowed to access the package + // restrict the access to package as specified in java.security policy + SecurityManager security = System.getSecurityManager(); + if (security != null) { + final int lastDot = className.lastIndexOf('.'); + if (lastDot != -1) { + String packageName = className.substring(0, lastDot); + security.checkPackageAccess(packageName); + } + } if (debug) debugPrintln("instanciating "+className); Class clazz; if( classLoader!=null ) Modified: xerces/xml-commons/trunk/java/external/src/org/w3c/dom/bootstrap/DOMImplementationRegistry.java URL: http://svn.apache.org/viewvc/xerces/xml-commons/trunk/java/external/src/org/w3c/dom/bootstrap/DOMImplementationRegistry.java?rev=1449591&r1=1449590&r2=1449591&view=diff ============================================================================== --- xerces/xml-commons/trunk/java/external/src/org/w3c/dom/bootstrap/DOMImplementationRegistry.java (original) +++ xerces/xml-commons/trunk/java/external/src/org/w3c/dom/bootstrap/DOMImplementationRegistry.java Mon Feb 25 04:21:39 2013 @@ -138,6 +138,16 @@ public final class DOMImplementationRegi StringTokenizer st = new StringTokenizer(p); while (st.hasMoreTokens()) { String sourceName = st.nextToken(); + // throw security exception if the calling thread is not allowed to access the package + // restrict the access to package as specified in java.security policy + SecurityManager security = System.getSecurityManager(); + if (security != null) { + final int lastDot = sourceName.lastIndexOf('.'); + if (lastDot != -1) { + String packageName = sourceName.substring(0, lastDot); + security.checkPackageAccess(packageName); + } + } // Use context class loader, falling back to Class.forName // if and only if this fails... Class sourceClass = null; Modified: xerces/xml-commons/trunk/java/external/src/org/xml/sax/helpers/NewInstance.java URL: http://svn.apache.org/viewvc/xerces/xml-commons/trunk/java/external/src/org/xml/sax/helpers/NewInstance.java?rev=1449591&r1=1449590&r2=1449591&view=diff ============================================================================== --- xerces/xml-commons/trunk/java/external/src/org/xml/sax/helpers/NewInstance.java (original) +++ xerces/xml-commons/trunk/java/external/src/org/xml/sax/helpers/NewInstance.java Mon Feb 25 04:21:39 2013 @@ -50,6 +50,16 @@ class NewInstance { throws ClassNotFoundException, IllegalAccessException, InstantiationException { + // throw security exception if the calling thread is not allowed to access the package + // restrict the access to package as specified in java.security policy + SecurityManager security = System.getSecurityManager(); + if (security != null) { + final int lastDot = className.lastIndexOf('.'); + if (lastDot != -1) { + String packageName = className.substring(0, lastDot); + security.checkPackageAccess(packageName); + } + } Class driverClass; if (classLoader == null) { // XXX Use the bootstrap ClassLoader. There is no way to --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@xerces.apache.org For additional commands, e-mail: commits-h...@xerces.apache.org