7195917: XMLDecoder parsing at close-time should be improved

Reviewed-by: art, ahgross

7195917: XMLDecoder parsing at close-time should be improved
Reviewed-by: art, ahgross
a2f1fa8e · malenkov · a39d5f2b · a2f1fa8e · a2f1fa8e
2 changed file
--- a/src/share/classes/com/sun/beans/decoder/DocumentHandler.java
+++ b/src/share/classes/com/sun/beans/decoder/DocumentHandler.java
 /*
- * Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,9 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
@@ -46,6 +49,8 @@ import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.helpers.DefaultHandler;
+import sun.misc.SharedSecrets;
 /**
 * The main class to parse JavaBeans XML archive.
 *
@@ -56,11 +61,10 @@ import org.xml.sax.helpers.DefaultHandler;
 * @see ElementHandler
 */
 public final class DocumentHandler extends DefaultHandler {
-    private final Map<String, Class<? extends ElementHandler>> handlers = new HashMap<String, Class<? extends ElementHandler>>();
+    private final AccessControlContext acc = AccessController.getContext();
+    private final Map<String, Class<? extends ElementHandler>> handlers = new HashMap<>();
-    private final Map<String, Object> environment = new HashMap<String, Object>();
+    private final Map<String, Object> environment = new HashMap<>();
+    private final List<Object> objects = new ArrayList<>();
-    private final List<Object> objects = new ArrayList<Object>();
    private Reference<ClassLoader> loader;
    private ExceptionListener listener;
@@ -351,23 +355,32 @@ public final class DocumentHandler extends DefaultHandler {
     *
     * @param input  the input source to parse
     */
-    public void parse(InputSource input) {
+    public void parse(final InputSource input) {
-        try {
+        if ((this.acc == null) && (null != System.getSecurityManager())) {
-            SAXParserFactory.newInstance().newSAXParser().parse(input, this);
+            throw new SecurityException("AccessControlContext is not set");
        }
-        catch (ParserConfigurationException exception) {
+        AccessControlContext stack = AccessController.getContext();
-            handleException(exception);
+        SharedSecrets.getJavaSecurityAccess().doIntersectionPrivilege(new PrivilegedAction<Void>() {
-        }
+            public Void run() {
-        catch (SAXException wrapper) {
+                try {
-            Exception exception = wrapper.getException();
+                    SAXParserFactory.newInstance().newSAXParser().parse(input, DocumentHandler.this);
-            if (exception == null) {
+                }
-                exception = wrapper;
+                catch (ParserConfigurationException exception) {
+                    handleException(exception);
+                }
+                catch (SAXException wrapper) {
+                    Exception exception = wrapper.getException();
+                    if (exception == null) {
+                        exception = wrapper;
+                    }
+                    handleException(exception);
+                }
+                catch (IOException exception) {
+                    handleException(exception);
+                }
+                return null;
            }
-            handleException(exception);
+        }, stack, this.acc);
-        }
-        catch (IOException exception) {
-            handleException(exception);
-        }
    }
    /**

--- a/src/share/classes/java/beans/XMLDecoder.java
+++ b/src/share/classes/java/beans/XMLDecoder.java
 /*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,9 @@ import com.sun.beans.decoder.DocumentHandler;
 import java.io.Closeable;
 import java.io.InputStream;
 import java.io.IOException;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import org.xml.sax.InputSource;
 import org.xml.sax.helpers.DefaultHandler;
@@ -61,6 +64,7 @@ import org.xml.sax.helpers.DefaultHandler;
 * @author Philip Milne
 */
 public class XMLDecoder implements AutoCloseable {
+    private final AccessControlContext acc = AccessController.getContext();
    private final DocumentHandler handler = new DocumentHandler();
    private final InputSource input;
    private Object owner;
@@ -189,7 +193,15 @@ public class XMLDecoder implements AutoCloseable {
            return false;
        }
        if (this.array == null) {
-            this.handler.parse(this.input);
+            if ((this.acc == null) && (null != System.getSecurityManager())) {
+                throw new SecurityException("AccessControlContext is not set");
+            }
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                public Void run() {
+                    XMLDecoder.this.handler.parse(XMLDecoder.this.input);
+                    return null;
+                }
+            }, this.acc);
            this.array = this.handler.getObjects();
        }
        return true;