svn commit: r822684 - /xerces/java/trunk/src/org/apache/xerces/impl/XMLEntityManager.java

[mrglavas]

Author: mrglavas
Date: Wed Oct  7 12:09:38 2009
New Revision: 822684

URL: http://svn.apache.org/viewvc?rev=822684&view=rev
Log:
Removing an AccessController.doPrivileged() which could allow an untrusted 
application to write to a file that it should not be able to.

Modified:
    xerces/java/trunk/src/org/apache/xerces/impl/XMLEntityManager.java

Modified: xerces/java/trunk/src/org/apache/xerces/impl/XMLEntityManager.java
URL: 
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLEntityManager.java?rev=822684&r1=822683&r2=822684&view=diff
==============================================================================
--- xerces/java/trunk/src/org/apache/xerces/impl/XMLEntityManager.java 
(original)
+++ xerces/java/trunk/src/org/apache/xerces/impl/XMLEntityManager.java Wed Oct  
7 12:09:38 2009
@@ -30,8 +30,6 @@
 import java.net.URLConnection;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
 import java.util.Hashtable;
 import java.util.Iterator;
 import java.util.Locale;
@@ -1873,26 +1871,14 @@
         // Use FileOutputStream if this URI is for a local file.
         if (protocol.equals("file") 
                 && (host == null || host.length() == 0 || 
host.equals("localhost"))) {
-            try {
-                out = (OutputStream) AccessController.doPrivileged(new 
PrivilegedExceptionAction() {
-                    public Object run() throws Exception {
-                        File file = new 
File(getPathWithoutEscapes(url.getPath()));
-                        if (!file.exists()) {
-                            File parent = file.getParentFile();
-                            if (parent != null && !parent.exists()) {
-                                parent.mkdirs();
-                            }
-                        }
-                        return new FileOutputStream(file);
-                    }});
-            }
-            catch (PrivilegedActionException pae) {
-                Exception e = pae.getException();
-                if (e instanceof IOException) {
-                    throw (IOException) e;
+            File file = new File(getPathWithoutEscapes(url.getPath()));
+            if (!file.exists()) {
+                File parent = file.getParentFile();
+                if (parent != null && !parent.exists()) {
+                    parent.mkdirs();
                 }
-                throw new IOException(e != null ? e.getMessage() : 
pae.getMessage());
             }
+            out = new FileOutputStream(file);
         }
         // Try to write to some other kind of URI. Some protocols
         // won't support this, though HTTP should work.



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@xerces.apache.org
For additional commands, e-mail: commits-h...@xerces.apache.org