8300891: Deprecate for removal javax.swing.plaf.synth.SynthLookAndFee…

…l.load(URL url) Reviewed-by: serb, aivanov, kizune, psadhukhan
openjdk · Feb 3, 2023 · 5962226 · 5962226 · openjdk-notifier · Feb 3, 2023
1 parent 8b70256
commit 5962226
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/src/java.desktop/share/classes/javax/swing/plaf/synth/SynthLookAndFeel.java b/src/java.desktop/share/classes/javax/swing/plaf/synth/SynthLookAndFeel.java
@@ -615,14 +615,31 @@ public void load(InputStream input, Class<?> resourceBase) throws
      * <code>new URL(synthFile, path)</code>. Refer to
      * <a href="doc-files/synthFileFormat.html">Synth File Format</a> for more
      * information.
+     * <p>
+     * Whilst this API may be safe for loading local resources that are
+     * delivered with a {@code LookAndFeel} or application, and so have an
+     * equal level of trust with application code, using it to load from
+     * remote resources, particularly any which may have a lower level of
+     * trust, is strongly discouraged.
+     * The alternative mechanisms to load styles from an {@code InputStream}
+     * {@linkplain #load(InputStream, Class)}
+     * using resources co-located with the application or by providing a
+     * {@code SynthStyleFactory} to
+     * {@linkplain #setStyleFactory setStyleFactory(SynthStyleFactory)}
+     * are preferred.
+     * Consequently this method is deprecated and will be removed in a future
+     * release.
      *
      * @param url the <code>URL</code> to load the set of
      *     <code>SynthStyle</code> from
      * @throws ParseException if there is an error in parsing
      * @throws IllegalArgumentException if synthSet is <code>null</code>
      * @throws IOException if synthSet cannot be opened as an <code>InputStream</code>
      * @since 1.6
+     * @deprecated Use {@link #load(InputStream, Class)} or
+     * {@link #setStyleFactory setStyleFactory(SynthStyleFactory)} instead
      */
+    @Deprecated(since = "21", forRemoval = true)
     public void load(URL url) throws ParseException, IOException {
         if (url == null) {
             throw new IllegalArgumentException(

diff --git a/src/java.desktop/share/classes/javax/swing/plaf/synth/doc-files/synthFileFormat.html b/src/java.desktop/share/classes/javax/swing/plaf/synth/doc-files/synthFileFormat.html
@@ -70,6 +70,8 @@ <h1><a id="file">File Format</a></h1>
     <p>
       This example loads the look and feel from an input stream, using
       the specified class as the resource base to resolve paths.
+    </p>
+    <p>
       It is also possible to load a look and feel from an arbitrary URL
       as in the following example.
     </p>
@@ -94,6 +96,11 @@ <h1><a id="file">File Format</a></h1>
       <li>Remote JAR file, e.g.
         <code>jar:http://host/synth-laf.jar!/laf.xml</code></li>
     </ul>
+    <p>Note: Synth's file format allows for the definition of code to be executed.
+       Loading any code from a remote location should be used only
+       with extreme caution from a trusted source over a secure connection.
+       It is strongly discouraged for an application or a LookAndFeel to do so.
+    </p>
     <p>
       While the DTD for synth is specified, the parser is not validating.
       Parsing will fail only if a necessary attribute is not