6824265: (tz) TimeZone.getTimeZone allows probing local filesystem

Reviewed-by: peytoia

6824265: (tz) TimeZone.getTimeZone allows probing local filesystem
Reviewed-by: peytoia
2e5048ee · okutsu · 2fb88495 · 2e5048ee
隐藏空白更改
内联并排

Showing with 45 addition and 31 deletion

src/share/classes/sun/util/calendar/ZoneInfoFile.java src/share/classes/sun/util/calendar/ZoneInfoFile.java +45 -31

未找到文件。
--- a/src/share/classes/sun/util/calendar/ZoneInfoFile.java
+++ b/src/share/classes/sun/util/calendar/ZoneInfoFile.java
 /*
- * Copyright 2000-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -472,6 +472,18 @@ public class ZoneInfoFile {
    private static Map<String, ZoneInfo> zoneInfoObjects = null;
+    private static final String ziDir;
+    static {
+        String zi = (String) AccessController.doPrivileged(
+                         new sun.security.action.GetPropertyAction("java.home"))
+                    + File.separator + "lib" + File.separator + "zi";
+        try {
+            zi = new File(zi).getCanonicalPath();
+        } catch (Exception e) {
+        }
+        ziDir = zi;
+    }
    /**
     * Converts the given time zone ID to a platform dependent path
     * name. For example, "America/Los_Angeles" is converted to
@@ -576,20 +588,7 @@ public class ZoneInfoFile {
            return null;
        }
-        int index;
+        int index = 0;
-        for (index = 0; index < JAVAZI_LABEL.length; index++) {
-            if (buf[index] != JAVAZI_LABEL[index]) {
-                System.err.println("ZoneInfo: wrong magic number: " + id);
-                return null;
-            }
-        }
-        if (buf[index++] > JAVAZI_VERSION) {
-            System.err.println("ZoneInfo: incompatible version ("
-                               + buf[index - 1] + "): " + id);
-            return null;
-        }
        int filesize = buf.length;
        int rawOffset = 0;
        int dstSavings = 0;
@@ -600,6 +599,18 @@ public class ZoneInfoFile {
        int[] simpleTimeZoneParams = null;
        try {
+            for (index = 0; index < JAVAZI_LABEL.length; index++) {
+                if (buf[index] != JAVAZI_LABEL[index]) {
+                    System.err.println("ZoneInfo: wrong magic number: " + id);
+                    return null;
+                }
+            }
+            if (buf[index++] > JAVAZI_VERSION) {
+                System.err.println("ZoneInfo: incompatible version ("
+                                   + buf[index - 1] + "): " + id);
+                return null;
+            }
            while (index < filesize) {
                byte tag = buf[index++];
                int  len = ((buf[index++] & 0xFF) << 8) + (buf[index++] & 0xFF);
@@ -1017,30 +1028,33 @@ public class ZoneInfoFile {
     * Reads the specified file under &lt;java.home&gt;/lib/zi into a buffer.
     * @return the buffer, or null if any I/O error occurred.
     */
-    private static byte[] readZoneInfoFile(String fileName) {
+    private static byte[] readZoneInfoFile(final String fileName) {
        byte[] buffer = null;
        try {
-            String homeDir = AccessController.doPrivileged(
-                new sun.security.action.GetPropertyAction("java.home"));
-            final String fname = homeDir + File.separator + "lib" + File.separator
-                                 + "zi" + File.separator + fileName;
            buffer = (byte[]) AccessController.doPrivileged(new PrivilegedExceptionAction() {
                public Object run() throws IOException {
-                    File file = new File(fname);
+                    File file = new File(ziDir, fileName);
-                    if (!file.canRead()) {
+                    if (!file.exists() || !file.isFile()) {
                        return null;
                    }
-                    int filesize = (int)file.length();
+                    file = file.getCanonicalFile();
-                    byte[] buf = new byte[filesize];
+                    String path = file.getCanonicalPath();
+                    byte[] buf = null;
-                    FileInputStream fis = new FileInputStream(file);
+                    if (path != null && path.startsWith(ziDir)) {
+                        int filesize = (int)file.length();
-                    if (fis.read(buf) != filesize) {
+                        if (filesize > 0) {
-                        fis.close();
+                            FileInputStream fis = new FileInputStream(file);
-                        throw new IOException("read error on " + fname);
+                            buf = new byte[filesize];
+                            try {
+                                if (fis.read(buf) != filesize) {
+                                    throw new IOException("read error on " + fileName);
+                                }
+                            } finally {
+                                fis.close();
+                            }
+                        }
                    }
-                    fis.close();
                    return buf;
                }
            });