Author: jboynes Date: Sat Mar 7 15:43:41 2015 New Revision: 1664878 URL: http://svn.apache.org/r1664878 Log: Fix for https://bz.apache.org/bugzilla/show_bug.cgi?id=57673 If an AccessControlException is thrown reading the accessExternalEntity fall back to the default
Modified: tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java Modified: tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java URL: http://svn.apache.org/viewvc/tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java?rev=1664878&r1=1664877&r2=1664878&view=diff ============================================================================== --- tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java (original) +++ tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java Sat Mar 7 15:43:41 2015 @@ -19,6 +19,7 @@ package org.apache.taglibs.standard.util import java.io.FileNotFoundException; import java.io.InputStream; import java.io.Reader; +import java.security.AccessControlException; import java.security.AccessController; import java.security.PrivilegedAction; import java.security.PrivilegedActionException; @@ -113,12 +114,25 @@ public class XmlUtil { } private static final String SP_ALLOWED_PROTOCOLS = "org.apache.taglibs.standard.xml.accessExternalEntity"; - private static final String ALLOWED_PROTOCOLS = AccessController.doPrivileged(new PrivilegedAction<String>() { - public String run() { - String defaultProtocols = System.getSecurityManager() == null ? "all" : ""; - return System.getProperty(SP_ALLOWED_PROTOCOLS, defaultProtocols); + private static final String ALLOWED_PROTOCOLS = initAllowedProtocols(); + + private static String initAllowedProtocols() { + if (System.getSecurityManager() == null) { + return System.getProperty(SP_ALLOWED_PROTOCOLS, "all"); + } else { + final String defaultProtocols = ""; + try { + return AccessController.doPrivileged(new PrivilegedAction<String>() { + public String run() { + return System.getProperty(SP_ALLOWED_PROTOCOLS, defaultProtocols); + } + }); + } catch (AccessControlException e) { + // Fall back to the default i.e. none. + return defaultProtocols; + } } - }); + } static void checkProtocol(String allowedProtocols, String uri) { if ("all".equalsIgnoreCase(allowedProtocols)) { @@ -130,7 +144,7 @@ public class XmlUtil { return; } } - throw new SecurityException("Access to external URI not allowed: " + uri); + throw new AccessControlException("Access to external URI not allowed: " + uri); } /** --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org