rsitze 2002/12/12 12:29:16
Modified: logging/src/java/org/apache/commons/logging LogFactory.java
logging/src/java/org/apache/commons/logging/impl
SimpleLog.java
Log:
Fix getResourceAsStream security violations with doPriv.
Revision Changes Path
1.16 +24 -10
jakarta-commons/logging/src/java/org/apache/commons/logging/LogFactory.java
Index: LogFactory.java
===================================================================
RCS file:
/home/cvs/jakarta-commons/logging/src/java/org/apache/commons/logging/LogFactory.java,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- LogFactory.java 19 Oct 2002 17:38:06 -0000 1.15
+++ LogFactory.java 12 Dec 2002 20:29:16 -0000 1.16
@@ -278,9 +278,9 @@
Properties props=null;
try {
- InputStream stream = (contextClassLoader == null
- ? ClassLoader.getSystemResourceAsStream(
FACTORY_PROPERTIES )
- : contextClassLoader.getResourceAsStream(
FACTORY_PROPERTIES ));
+ InputStream stream = getResourceAsStream(contextClassLoader,
+ FACTORY_PROPERTIES);
+
if (stream != null) {
props = new Properties();
props.load(stream);
@@ -310,9 +310,8 @@
if (factory == null) {
try {
- InputStream is = (contextClassLoader == null
- ? ClassLoader.getSystemResourceAsStream(
SERVICE_ID )
- : contextClassLoader.getResourceAsStream(
SERVICE_ID ));
+ InputStream is = getResourceAsStream(contextClassLoader,
+ SERVICE_ID);
if( is != null ) {
// This code is needed by EBCDIC and other strange systems.
@@ -574,5 +573,20 @@
} catch (Exception e) {
throw new LogConfigurationException(e);
}
+ }
+
+ private static InputStream getResourceAsStream(final ClassLoader loader,
+ final String name)
+ {
+ return (InputStream)AccessController.doPrivileged(
+ new PrivilegedAction() {
+ public Object run() {
+ if (loader != null) {
+ return loader.getResourceAsStream(name);
+ } else {
+ return ClassLoader.getSystemResourceAsStream(name);
+ }
+ }
+ });
}
}
1.8 +88 -23
jakarta-commons/logging/src/java/org/apache/commons/logging/impl/SimpleLog.java
Index: SimpleLog.java
===================================================================
RCS file:
/home/cvs/jakarta-commons/logging/src/java/org/apache/commons/logging/impl/SimpleLog.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- SimpleLog.java 12 Dec 2002 19:49:30 -0000 1.7
+++ SimpleLog.java 12 Dec 2002 20:29:16 -0000 1.8
@@ -63,17 +63,17 @@
package org.apache.commons.logging.impl;
import java.io.InputStream;
+import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
-import java.security.AccessControlException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
-import java.util.Enumeration;
import java.util.Properties;
import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogConfigurationException;
/**
* <p>Simple implementation of Log that sends all enabled log messages,
@@ -177,24 +177,8 @@
// load properties file, if found.
// override with system properties.
static {
-
- // identify the class loader to attempt resource loading with
- ClassLoader classLoader = null;
- try {
- Method method =
- Thread.class.getMethod("getContextClassLoader", null);
- classLoader = (ClassLoader)
- method.invoke(Thread.currentThread(), null);
- } catch (Exception e) {
- ; // Ignored (security exception or JDK 1.1)
- }
- if (classLoader == null) {
- classLoader = SimpleLog.class.getClassLoader();
- }
-
// add props from the resource simplelog.properties
- InputStream in =
- classLoader.getResourceAsStream("simplelog.properties");
+ InputStream in = getResourceAsStream("simplelog.properties");
if(null != in) {
try {
simpleLogProps.load(in);
@@ -583,6 +567,87 @@
public final boolean isWarnEnabled() {
return isLevelEnabled(SimpleLog.LOG_LEVEL_WARN);
+ }
+
+
+ /**
+ * Return the thread context class loader if available.
+ * Otherwise return null.
+ *
+ * The thread context class loader is available for JDK 1.2
+ * or later, if certain security conditions are met.
+ *
+ * @exception LogConfigurationException if a suitable class loader
+ * cannot be identified.
+ */
+ private static ClassLoader getContextClassLoader()
+ {
+ ClassLoader classLoader = null;
+
+ if (classLoader == null) {
+ try {
+ // Are we running on a JDK 1.2 or later system?
+ Method method = Thread.class.getMethod("getContextClassLoader",
null);
+
+ // Get the thread context class loader (if there is one)
+ try {
+ classLoader =
(ClassLoader)method.invoke(Thread.currentThread(), null);
+ } catch (IllegalAccessException e) {
+ ; // ignore
+ } catch (InvocationTargetException e) {
+ /**
+ * InvocationTargetException is thrown by 'invoke' when
+ * the method being invoked (getContextClassLoader) throws
+ * an exception.
+ *
+ * getContextClassLoader() throws SecurityException when
+ * the context class loader isn't an ancestor of the
+ * calling class's class loader, or if security
+ * permissions are restricted.
+ *
+ * In the first case (not related), we want to ignore and
+ * keep going. We cannot help but also ignore the second
+ * with the logic below, but other calls elsewhere (to
+ * obtain a class loader) will trigger this exception where
+ * we can make a distinction.
+ */
+ if (e.getTargetException() instanceof SecurityException) {
+ ; // ignore
+ } else {
+ // Capture 'e.getTargetException()' exception for details
+ // alternate: log 'e.getTargetException()', and pass back
'e'.
+ throw new LogConfigurationException
+ ("Unexpected InvocationTargetException",
e.getTargetException());
+ }
+ }
+ } catch (NoSuchMethodException e) {
+ // Assume we are running on JDK 1.1
+ ; // ignore
+ }
+ }
+
+ if (classLoader == null) {
+ classLoader = SimpleLog.class.getClassLoader();
+ }
+
+ // Return the selected class loader
+ return classLoader;
+ }
+
+ private static InputStream getResourceAsStream(final String name)
+ {
+ return (InputStream)AccessController.doPrivileged(
+ new PrivilegedAction() {
+ public Object run() {
+ ClassLoader threadCL = getContextClassLoader();
+
+ if (threadCL != null) {
+ return threadCL.getResourceAsStream(name);
+ } else {
+ return ClassLoader.getSystemResourceAsStream(name);
+ }
+ }
+ });
}
}
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
