aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Steiner <ssteiner@apache.org>2021-12-07 08:04:15 +0000
committerSimon Steiner <ssteiner@apache.org>2021-12-07 08:04:15 +0000
commit69ce536bf92f774d4d0a09d9068c1dbc972715f7 (patch)
tree89218f5e8ff65a907345da238480fce1d2706359
parent4f54576cfcf98d845a8f56b2a0307f6ca29679c2 (diff)
downloadxmlgraphics-fop-69ce536bf92f774d4d0a09d9068c1dbc972715f7.tar.gz
xmlgraphics-fop-69ce536bf92f774d4d0a09d9068c1dbc972715f7.zip
FOP-3038: Allow sections which need security permissions to be run when AllPermission denied in caller code
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/fop/trunk@1895652 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r--fop-core/src/main/java/org/apache/fop/apps/FopFactory.java12
-rw-r--r--fop-core/src/main/java/org/apache/fop/fo/FOTreeBuilder.java46
-rw-r--r--fop-core/src/test/java/org/apache/fop/apps/FopFactoryTestCase.java49
-rw-r--r--fop/lib/xmlgraphics-commons-svn-trunk.jarbin674647 -> 675479 bytes
4 files changed, 96 insertions, 11 deletions
diff --git a/fop-core/src/main/java/org/apache/fop/apps/FopFactory.java b/fop-core/src/main/java/org/apache/fop/apps/FopFactory.java
index 6708f2113..2685fe021 100644
--- a/fop-core/src/main/java/org/apache/fop/apps/FopFactory.java
+++ b/fop-core/src/main/java/org/apache/fop/apps/FopFactory.java
@@ -24,6 +24,8 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URI;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
@@ -142,8 +144,14 @@ public final class FopFactory implements ImageContext {
* @param baseURI the base URI to resolve resource URIs against
* @return the requested FopFactory instance.
*/
- public static FopFactory newInstance(URI baseURI) {
- return new FopFactoryBuilder(baseURI).build();
+ public static FopFactory newInstance(final URI baseURI) {
+ return AccessController.doPrivileged(
+ new PrivilegedAction<FopFactory>() {
+ public FopFactory run() {
+ return new FopFactoryBuilder(baseURI).build();
+ }
+ }
+ );
}
/**
diff --git a/fop-core/src/main/java/org/apache/fop/fo/FOTreeBuilder.java b/fop-core/src/main/java/org/apache/fop/fo/FOTreeBuilder.java
index 249f0e0fe..766b6188d 100644
--- a/fop-core/src/main/java/org/apache/fop/fo/FOTreeBuilder.java
+++ b/fop-core/src/main/java/org/apache/fop/fo/FOTreeBuilder.java
@@ -20,6 +20,8 @@
package org.apache.fop.fo;
import java.io.OutputStream;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import org.xml.sax.Attributes;
import org.xml.sax.ContentHandler;
@@ -171,23 +173,49 @@ public class FOTreeBuilder extends DefaultHandler {
}
/** {@inheritDoc} */
- public void startElement(String namespaceURI, String localName, String rawName,
- Attributes attlist) throws SAXException {
+ public void startElement(final String namespaceURI, final String localName, final String rawName,
+ final Attributes attlist) throws SAXException {
this.depth++;
errorinstart = false;
- try {
- delegate.startElement(namespaceURI, localName, rawName, attlist);
- } catch (SAXException e) {
+ final ContentHandler contentHandler = delegate;
+ SAXException saxException = AccessController.doPrivileged(
+ new PrivilegedAction<SAXException>() {
+ public SAXException run() {
+ try {
+ contentHandler.startElement(namespaceURI, localName, rawName, attlist);
+ } catch (SAXException e) {
+ return e;
+ }
+ return null;
+ }
+ }
+ );
+ if (saxException != null) {
errorinstart = true;
- throw e;
+ throw saxException;
}
}
/** {@inheritDoc} */
- public void endElement(String uri, String localName, String rawName)
- throws SAXException {
+ public void endElement(final String uri, final String localName, final String rawName) throws SAXException {
if (!errorinstart) {
- this.delegate.endElement(uri, localName, rawName);
+ final ContentHandler contentHandler = delegate;
+ SAXException saxException = AccessController.doPrivileged(
+ new PrivilegedAction<SAXException>() {
+ public SAXException run() {
+ try {
+ contentHandler.endElement(uri, localName, rawName);
+ } catch (SAXException e) {
+ return e;
+ }
+ return null;
+ }
+ }
+ );
+ if (saxException != null) {
+ throw saxException;
+ }
+
this.depth--;
if (depth == 0) {
if (delegate != mainFOHandler) {
diff --git a/fop-core/src/test/java/org/apache/fop/apps/FopFactoryTestCase.java b/fop-core/src/test/java/org/apache/fop/apps/FopFactoryTestCase.java
index 439ffa44e..ee95810a6 100644
--- a/fop-core/src/test/java/org/apache/fop/apps/FopFactoryTestCase.java
+++ b/fop-core/src/test/java/org/apache/fop/apps/FopFactoryTestCase.java
@@ -19,7 +19,18 @@
package org.apache.fop.apps;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
import java.io.IOException;
+import java.net.URI;
+import java.security.Permission;
+
+import javax.xml.transform.Result;
+import javax.xml.transform.Source;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.sax.SAXResult;
+import javax.xml.transform.stream.StreamSource;
import org.junit.Test;
import org.xml.sax.SAXException;
@@ -63,4 +74,42 @@ public class FopFactoryTestCase extends BaseConstructiveUserConfigTest {
fail(e.getMessage());
}
}
+
+ @Test
+ public void testSecurityManager() throws Exception {
+ System.setSecurityManager(new SecurityManager() {
+ public void checkPermission(Permission perm) {
+ for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
+ if (element.toString().contains("java.security.AccessController.doPrivileged")
+ || element.toString().contains("newFop(")
+ || element.toString().contains("setSecurityManager(")) {
+ return;
+ }
+ }
+ throw new RuntimeException("doPrivileged not used for " + perm);
+ }
+ });
+ FopFactory fopFactory = FopFactory.newInstance(new URI("."));
+ ByteArrayOutputStream out = new ByteArrayOutputStream();
+ String fo = "<fo:root xmlns:fo=\"http://www.w3.org/1999/XSL/Format\" "
+ + "xmlns:fox=\"http://xmlgraphics.apache.org/fop/extensions\">\n"
+ + " <fo:layout-master-set>\n"
+ + " <fo:simple-page-master master-name=\"simple\" page-height=\"27.9cm\" page-width=\"21.6cm\">\n"
+ + " <fo:region-body />\n"
+ + " </fo:simple-page-master>\n"
+ + " </fo:layout-master-set>\n"
+ + " <fo:page-sequence master-reference=\"simple\">\n"
+ + " <fo:flow flow-name=\"xsl-region-body\">\n"
+ + " <fo:block font-size=\"100pt\">test2test2test2test2test2test2test2test2test2test2te"
+ + "st2test2test2test2test2test2test2</fo:block> \n"
+ + "</fo:flow>\n"
+ + " </fo:page-sequence>\n"
+ + "</fo:root>\n";
+ Fop fop = fopFactory.newFop(MimeConstants.MIME_PDF, fopFactory.newFOUserAgent(), out);
+ Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ Source src = new StreamSource(new ByteArrayInputStream(fo.getBytes()));
+ Result res = new SAXResult(fop.getDefaultHandler());
+ transformer.transform(src, res);
+ System.setSecurityManager(null);
+ }
}
diff --git a/fop/lib/xmlgraphics-commons-svn-trunk.jar b/fop/lib/xmlgraphics-commons-svn-trunk.jar
index 542966f5f..6368e1244 100644
--- a/fop/lib/xmlgraphics-commons-svn-trunk.jar
+++ b/fop/lib/xmlgraphics-commons-svn-trunk.jar
Binary files differ