8004562: Better support for crossdomain.xml

Reviewed-by: herrick, ngthomas, chegar
2014-01-07 12:17:36 -08:00 · 2014-01-07 12:17:36 -08:00 · 6609c71505
commit 6609c71505
parent a265181b1e
1 changed files with 47 additions and 2 deletions
--- a/jdk/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
+++ b/jdk/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
@ -541,9 +541,11 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
             * to last and last, respectively, in the case of a POST
             * request.
             */
-            if (!failedOnce)
+            if (!failedOnce) {
+                checkURLFile();
                requests.prepend(method + " " + getRequestURI()+" "  +
                                 httpVersion, null);
+            }
            if (!getUseCaches()) {
                requests.setIfNotSet ("Cache-Control", "no-cache");
                requests.setIfNotSet ("Pragma", "no-cache");
@ -554,7 +556,12 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
            if (port != -1 && port != url.getDefaultPort()) {
                host += ":" + String.valueOf(port);
            }
-            requests.setIfNotSet("Host", host);
+            String reqHost = requests.findValue("Host");
+            if (reqHost == null ||
+                (!reqHost.equalsIgnoreCase(host) && !checkSetHost()))
+            {
+                requests.set("Host", host);
+            }
            requests.setIfNotSet("Accept", acceptString);

            /*
@ -671,6 +678,44 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
        }
    }

+    private boolean checkSetHost() {
+        SecurityManager s = System.getSecurityManager();
+        if (s != null) {
+            String name = s.getClass().getName();
+            if (name.equals("sun.plugin2.applet.AWTAppletSecurityManager") ||
+                name.equals("sun.plugin2.applet.FXAppletSecurityManager") ||
+                name.equals("com.sun.javaws.security.JavaWebStartSecurity") ||
+                name.equals("sun.plugin.security.ActivatorSecurityManager"))
+            {
+                int CHECK_SET_HOST = -2;
+                try {
+                    s.checkConnect(url.toExternalForm(), CHECK_SET_HOST);
+                } catch (SecurityException ex) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    private void checkURLFile() {
+        SecurityManager s = System.getSecurityManager();
+        if (s != null) {
+            String name = s.getClass().getName();
+            if (name.equals("sun.plugin2.applet.AWTAppletSecurityManager") ||
+                name.equals("sun.plugin2.applet.FXAppletSecurityManager") ||
+                name.equals("com.sun.javaws.security.JavaWebStartSecurity") ||
+                name.equals("sun.plugin.security.ActivatorSecurityManager"))
+            {
+                int CHECK_SUBPATH = -3;
+                try {
+                    s.checkConnect(url.toExternalForm(), CHECK_SUBPATH);
+                } catch (SecurityException ex) {
+                    throw new SecurityException("denied access outside a permitted URL subpath", ex);
+                }
+            }
+        }
+    }

    /**
     * Create a new HttpClient object, bypassing the cache of