BATIK-1338: Block loading jar inside svg
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1904320 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
index 1281e7d..bf30c08 100644
--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
+++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
@@ -20,6 +20,8 @@
import org.apache.batik.util.ParsedURL;
+import static org.apache.batik.util.SVGConstants.SVG_SCRIPT_TYPE_JAVA;
+
/**
* Default implementation for the <code>ScriptSecurity</code> interface.
* It allows all types of scripts to be loaded, but only if they
@@ -76,7 +78,7 @@
ParsedURL docURL){
// Make sure that the archives comes from the same host
// as the document itself
- if (docURL == null) {
+ if (docURL == null || SVG_SCRIPT_TYPE_JAVA.equals(scriptType)) {
se = new SecurityException
(Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
new Object[]{scriptURL}));
diff --git a/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java b/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java
index e7430cf..1010f58 100644
--- a/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java
+++ b/batik-test-old/src/test/java/org/apache/batik/bridge/DefaultScriptSecurityTestCase.java
@@ -22,6 +22,8 @@
import org.junit.Assert;
import org.junit.Test;
+import static org.apache.batik.util.SVGConstants.SVG_SCRIPT_TYPE_JAVA;
+
public class DefaultScriptSecurityTestCase {
@Test
public void testUrls() {
@@ -37,4 +39,19 @@
"which comes from different location than the document itself. This is not allowed with the current " +
"security settings and that script will not be loaded.");
}
+
+ @Test
+ public void testJarFile() {
+ ParsedURL docUrl = new ParsedURL("");
+ ParsedURL scriptUrl = new ParsedURL("poc.jar");
+ String ex = "";
+ try {
+ new DefaultScriptSecurity(SVG_SCRIPT_TYPE_JAVA, scriptUrl, docUrl).checkLoadScript();
+ } catch (SecurityException e) {
+ ex = e.getMessage();
+ }
+ Assert.assertEquals(ex, "Could not access the current document URL when trying to load script file " +
+ "file:poc.jar. Script will not be loaded as it is not possible to verify it comes from the same location " +
+ "as the document.");
+ }
}