BATIK-1335: Jar url should be blocked by DefaultScriptSecurity
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1903910 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
index e64c29c..1281e7d 100644
--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
+++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
@@ -83,6 +83,10 @@
} else {
String docHost = docURL.getHost();
String scriptHost = scriptURL.getHost();
+
+ if (scriptHost == null && scriptURL.getPath() != null) {
+ scriptHost = new ParsedURL(scriptURL.getPath()).getHost();
+ }
if ((docHost != scriptHost) &&
((docHost == null) || (!docHost.equals(scriptHost)))) {
diff --git a/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java b/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java
new file mode 100644
index 0000000..e7430cf
--- /dev/null
+++ b/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java
@@ -0,0 +1,40 @@
+/*
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+ */
+package org.apache.batik.bridge;
+
+import org.apache.batik.util.ParsedURL;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class DefaultScriptSecurityTestCase {
+ @Test
+ public void testUrls() {
+ ParsedURL docUrl = new ParsedURL("");
+ ParsedURL scriptUrl = new ParsedURL("jar:http://192.168.1.10/poc.jar!/");
+ String ex = "";
+ try {
+ new DefaultScriptSecurity(null, scriptUrl, docUrl).checkLoadScript();
+ } catch (SecurityException e) {
+ ex = e.getMessage();
+ }
+ Assert.assertEquals(ex, "The document references a script file (jar:http://192.168.1.10/poc.jar!/) " +
+ "which comes from different location than the document itself. This is not allowed with the current " +
+ "security settings and that script will not be loaded.");
+ }
+}