[libbluray-devel] JSM: compare only canonicalized paths

hpi1 git at videolan.org
Mon Mar 9 12:53:05 CET 2015 

libbluray | branch: master | hpi1 <hpi1 at anonymous.org> | Mon Mar  9 11:43:50 2015 +0200| [87c267fe08a84ed2737f03fc6ba3b0dc05a4b625] | committer: hpi1

JSM: compare only canonicalized paths

> http://git.videolan.org/gitweb.cgi/libbluray.git/?a=commit;h=87c267fe08a84ed2737f03fc6ba3b0dc05a4b625
---

 .../bdj/java/org/videolan/BDJSecurityManager.java  |   25 ++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/libbluray/bdj/java/org/videolan/BDJSecurityManager.java b/src/libbluray/bdj/java/org/videolan/BDJSecurityManager.java
index b7aadb7..9e7a08f 100644
--- a/src/libbluray/bdj/java/org/videolan/BDJSecurityManager.java
+++ b/src/libbluray/bdj/java/org/videolan/BDJSecurityManager.java
@@ -22,7 +22,9 @@ package org.videolan;
 
 import java.io.FilePermission;
 import java.io.File;
+import java.security.AccessController;
 import java.security.Permission;
+import java.security.PrivilegedAction;
 
 final class BDJSecurityManager extends SecurityManager {
 
@@ -100,6 +102,9 @@ final class BDJSecurityManager extends SecurityManager {
     }
 
     public void checkRead(String file) {
+
+        file = getCanonPath(file);
+
         //super.checkRead(file);
         if (usingUdf) {
             BDJLoader.accessFile(file);
@@ -123,6 +128,8 @@ final class BDJSecurityManager extends SecurityManager {
     public void checkWrite(String file) {
         BDJXletContext ctx = BDJXletContext.getCurrentContext();
 
+        file = getCanonPath(file);
+
         if (ctx != null) {
             // Xlet can write to persistent storage and binding unit
             if (canReadWrite(file)) {
@@ -141,6 +148,24 @@ final class BDJSecurityManager extends SecurityManager {
         throw new SecurityException("write access denied");
     }
 
+    private String getCanonPath(final String path)
+    {
+        String cpath = (String)AccessController.doPrivileged(new PrivilegedAction() {
+            public Object run() {
+                try {
+                    return new File(path).getCanonicalPath();
+                } catch (Exception ioe) {
+                    logger.error("error canonicalizing " + path + ": " + ioe);
+                    return null;
+                }
+            }
+            });
+        if (cpath == null) {
+            throw new SecurityException("cant canonicalize " + path);
+        }
+        return cpath;
+    }
+
     /*
      *
      */

More information about the libbluray-devel mailing list