rsitze 2002/12/12 12:29:16 Modified: logging/src/java/org/apache/commons/logging LogFactory.java logging/src/java/org/apache/commons/logging/impl SimpleLog.java Log: Fix getResourceAsStream security violations with doPriv. Revision Changes Path 1.16 +24 -10 jakarta-commons/logging/src/java/org/apache/commons/logging/LogFactory.java Index: LogFactory.java =================================================================== RCS file: /home/cvs/jakarta-commons/logging/src/java/org/apache/commons/logging/LogFactory.java,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- LogFactory.java 19 Oct 2002 17:38:06 -0000 1.15 +++ LogFactory.java 12 Dec 2002 20:29:16 -0000 1.16 @@ -278,9 +278,9 @@ Properties props=null; try { - InputStream stream = (contextClassLoader == null - ? ClassLoader.getSystemResourceAsStream( FACTORY_PROPERTIES ) - : contextClassLoader.getResourceAsStream( FACTORY_PROPERTIES )); + InputStream stream = getResourceAsStream(contextClassLoader, + FACTORY_PROPERTIES); + if (stream != null) { props = new Properties(); props.load(stream); @@ -310,9 +310,8 @@ if (factory == null) { try { - InputStream is = (contextClassLoader == null - ? ClassLoader.getSystemResourceAsStream( SERVICE_ID ) - : contextClassLoader.getResourceAsStream( SERVICE_ID )); + InputStream is = getResourceAsStream(contextClassLoader, + SERVICE_ID); if( is != null ) { // This code is needed by EBCDIC and other strange systems. @@ -574,5 +573,20 @@ } catch (Exception e) { throw new LogConfigurationException(e); } + } + + private static InputStream getResourceAsStream(final ClassLoader loader, + final String name) + { + return (InputStream)AccessController.doPrivileged( + new PrivilegedAction() { + public Object run() { + if (loader != null) { + return loader.getResourceAsStream(name); + } else { + return ClassLoader.getSystemResourceAsStream(name); + } + } + }); } } 1.8 +88 -23 jakarta-commons/logging/src/java/org/apache/commons/logging/impl/SimpleLog.java Index: SimpleLog.java =================================================================== RCS file: /home/cvs/jakarta-commons/logging/src/java/org/apache/commons/logging/impl/SimpleLog.java,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- SimpleLog.java 12 Dec 2002 19:49:30 -0000 1.7 +++ SimpleLog.java 12 Dec 2002 20:29:16 -0000 1.8 @@ -63,17 +63,17 @@ package org.apache.commons.logging.impl; import java.io.InputStream; +import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; -import java.security.AccessControlException; import java.security.AccessController; import java.security.PrivilegedAction; import java.text.DateFormat; import java.text.SimpleDateFormat; import java.util.Date; -import java.util.Enumeration; import java.util.Properties; import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogConfigurationException; /** * <p>Simple implementation of Log that sends all enabled log messages, @@ -177,24 +177,8 @@ // load properties file, if found. // override with system properties. static { - - // identify the class loader to attempt resource loading with - ClassLoader classLoader = null; - try { - Method method = - Thread.class.getMethod("getContextClassLoader", null); - classLoader = (ClassLoader) - method.invoke(Thread.currentThread(), null); - } catch (Exception e) { - ; // Ignored (security exception or JDK 1.1) - } - if (classLoader == null) { - classLoader = SimpleLog.class.getClassLoader(); - } - // add props from the resource simplelog.properties - InputStream in = - classLoader.getResourceAsStream("simplelog.properties"); + InputStream in = getResourceAsStream("simplelog.properties"); if(null != in) { try { simpleLogProps.load(in); @@ -583,6 +567,87 @@ public final boolean isWarnEnabled() { return isLevelEnabled(SimpleLog.LOG_LEVEL_WARN); + } + + + /** + * Return the thread context class loader if available. + * Otherwise return null. + * + * The thread context class loader is available for JDK 1.2 + * or later, if certain security conditions are met. + * + * @exception LogConfigurationException if a suitable class loader + * cannot be identified. + */ + private static ClassLoader getContextClassLoader() + { + ClassLoader classLoader = null; + + if (classLoader == null) { + try { + // Are we running on a JDK 1.2 or later system? + Method method = Thread.class.getMethod("getContextClassLoader", null); + + // Get the thread context class loader (if there is one) + try { + classLoader = (ClassLoader)method.invoke(Thread.currentThread(), null); + } catch (IllegalAccessException e) { + ; // ignore + } catch (InvocationTargetException e) { + /** + * InvocationTargetException is thrown by 'invoke' when + * the method being invoked (getContextClassLoader) throws + * an exception. + * + * getContextClassLoader() throws SecurityException when + * the context class loader isn't an ancestor of the + * calling class's class loader, or if security + * permissions are restricted. + * + * In the first case (not related), we want to ignore and + * keep going. We cannot help but also ignore the second + * with the logic below, but other calls elsewhere (to + * obtain a class loader) will trigger this exception where + * we can make a distinction. + */ + if (e.getTargetException() instanceof SecurityException) { + ; // ignore + } else { + // Capture 'e.getTargetException()' exception for details + // alternate: log 'e.getTargetException()', and pass back 'e'. + throw new LogConfigurationException + ("Unexpected InvocationTargetException", e.getTargetException()); + } + } + } catch (NoSuchMethodException e) { + // Assume we are running on JDK 1.1 + ; // ignore + } + } + + if (classLoader == null) { + classLoader = SimpleLog.class.getClassLoader(); + } + + // Return the selected class loader + return classLoader; + } + + private static InputStream getResourceAsStream(final String name) + { + return (InputStream)AccessController.doPrivileged( + new PrivilegedAction() { + public Object run() { + ClassLoader threadCL = getContextClassLoader(); + + if (threadCL != null) { + return threadCL.getResourceAsStream(name); + } else { + return ClassLoader.getSystemResourceAsStream(name); + } + } + }); } }
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>