From 45a84db7739aba2ab4526d7ef87850b9eb824740 Mon Sep 17 00:00:00 2001
From: Wade Walker <wwalker3@austin.rr.com>
Date: Sun, 17 Feb 2013 10:48:00 -0600
Subject: Add security checks to resolver methods.

---
 src/java/com/jogamp/common/util/JarUtil.java | 30 ++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/java/com/jogamp/common/util/JarUtil.java b/src/java/com/jogamp/common/util/JarUtil.java
index f1488f1..7fa5dd0 100644
--- a/src/java/com/jogamp/common/util/JarUtil.java
+++ b/src/java/com/jogamp/common/util/JarUtil.java
@@ -61,14 +61,31 @@ public class JarUtil {
         URL resolve(URL url);
     }
 
-    /** If non-null, we use this to resolve class file URLs after querying them from the classloader. */
+    /** If non-null, we use this to resolve class file URLs after querying them from the classloader.
+     * The resolver won't be used on an URL if it's already of a common type like file, jar, or http[s].*/
     private static Resolver resolver;
     
     /**
      * Setter.
-     * @param r Resolver to use after querying class file URLs from the classloader. 
+     * @param r Resolver to use after querying class file URLs from the classloader.
+     * @throws Error if the resolver has already been set.
+     * @throws SecurityException if the security manager doesn't have the setFactory
+     * permission 
      */
     public static void setResolver(Resolver r) {
+        if(r == null) {
+            return;
+        }
+
+        if(resolver != null) {
+            throw new Error("Resolver already set!");
+        }
+
+        SecurityManager security = System.getSecurityManager();
+        if(security != null) {
+            security.checkSetFactory();
+        }
+
         resolver = r;
     }
 
@@ -113,8 +130,13 @@ public class JarUtil {
             throw new IllegalArgumentException("null arguments: clazzBinName "+clazzBinName+", cl "+cl);
         }
         URL url = IOUtil.getClassURL(clazzBinName, cl);
-    	if(resolver != null)
-    		url = resolver.resolve(url);
+    	if(   resolver != null
+    	   && !url.toString().startsWith("jar:")
+    	   && !url.toString().startsWith("file:")
+    	   && !url.toString().startsWith("http:")
+    	   && !url.toString().startsWith("https:")) {
+    	    url = resolver.resolve(url);
+        }
         // test name ..
         final String urlS = url.toExternalForm();
         if(DEBUG) {
-- 
cgit v1.2.3