Google Git
Sign in
apache / xmlgraphics-batik / 3f937cfea75aab74e88b08eccce131e8551d1525^! / .
commit3f937cfea75aab74e88b08eccce131e8551d1525[log] [tgz]
authorSimon Steiner <ssteiner@apache.org>Wed Sep 07 08:22:07 2022 +0000
committerSimon Steiner <ssteiner@apache.org>Wed Sep 07 08:22:07 2022 +0000
tree5ba24bbd7608387e125e0e0f52ce53e98c35e788
parentbb0e107d595ddde888abf79b134e367f086cd24e [diff]
BATIK-1335: Jar url should be blocked by DefaultScriptSecurity

git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1903910 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
index e64c29c..1281e7d 100644
--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
+++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java

@@ -83,6 +83,10 @@
         } else {
             String docHost    = docURL.getHost();
             String scriptHost = scriptURL.getHost();
+
+            if (scriptHost == null && scriptURL.getPath() != null) {
+                scriptHost = new ParsedURL(scriptURL.getPath()).getHost();
+            }
             
             if ((docHost != scriptHost) &&
                 ((docHost == null) || (!docHost.equals(scriptHost)))) {

diff --git a/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java b/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java
new file mode 100644
index 0000000..e7430cf
--- /dev/null
+++ b/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java

@@ -0,0 +1,40 @@
+/*
+
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+ */
+package org.apache.batik.bridge;
+
+import org.apache.batik.util.ParsedURL;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class DefaultScriptSecurityTestCase {
+    @Test
+    public void testUrls() {
+        ParsedURL docUrl = new ParsedURL("");
+        ParsedURL scriptUrl = new ParsedURL("jar:http://192.168.1.10/poc.jar!/");
+        String ex = "";
+        try {
+            new DefaultScriptSecurity(null, scriptUrl, docUrl).checkLoadScript();
+        } catch (SecurityException e) {
+            ex = e.getMessage();
+        }
+        Assert.assertEquals(ex, "The document references a script file (jar:http://192.168.1.10/poc.jar!/) " +
+                "which comes from different location than the document itself. This is not allowed with the current " +
+                "security settings and that script will not be loaded.");
+    }
+}