diff --git a/jdk/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java b/jdk/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java index ddae60e9d53..2e914ac5823 100644 --- a/jdk/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java +++ b/jdk/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java @@ -64,6 +64,8 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { protected static final AttrCompare COMPARE = new AttrCompare(); + // Make sure you clone the following mutable arrays before passing to + // potentially untrusted objects such as OutputStreams. private static final byte[] END_PI = {'?','>'}; private static final byte[] BEGIN_PI = {'<','?'}; private static final byte[] END_COMM = {'-','-','>'}; @@ -76,7 +78,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { private static final byte[] LT = {'&','l','t',';'}; private static final byte[] END_TAG = {'<','/'}; private static final byte[] AMP = {'&','a','m','p',';'}; - private static final byte[] equalsStr = {'=','\"'}; + private static final byte[] EQUALS_STR = {'=','\"'}; protected static final int NODE_BEFORE_DOCUMENT_ELEMENT = -1; protected static final int NODE_NOT_BEFORE_OR_AFTER_DOCUMENT_ELEMENT = 0; @@ -303,7 +305,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { writer.write('>'); sibling = currentNode.getFirstChild(); if (sibling == null) { - writer.write(END_TAG); + writer.write(END_TAG.clone()); UtfHelpper.writeStringToUtf8(name, writer); writer.write('>'); //We finished with this level, pop to the previous definitions. @@ -321,7 +323,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { break; } while (sibling == null && parentNode != null) { - writer.write(END_TAG); + writer.write(END_TAG.clone()); UtfHelpper.writeByte(((Element)parentNode).getTagName(), writer, cache); writer.write('>'); //We finished with this level, pop to the previous definitions. @@ -481,7 +483,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { if (sibling == null) { if (currentNodeIsVisible) { - writer.write(END_TAG); + writer.write(END_TAG.clone()); UtfHelpper.writeByte(name, writer, cache); writer.write('>'); //We finished with this level, pop to the previous definitions. @@ -503,7 +505,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { } while (sibling == null && parentNode != null) { if (isVisible(parentNode)) { - writer.write(END_TAG); + writer.write(END_TAG.clone()); UtfHelpper.writeByte(((Element)parentNode).getTagName(), writer, cache); writer.write('>'); //We finished with this level, pop to the previous definitions. @@ -690,7 +692,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { ) throws IOException { writer.write(' '); UtfHelpper.writeByte(name, writer, cache); - writer.write(equalsStr); + writer.write(EQUALS_STR.clone()); byte[] toWrite; final int length = value.length(); int i = 0; @@ -700,27 +702,27 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { switch (c) { case '&' : - toWrite = AMP; + toWrite = AMP.clone(); break; case '<' : - toWrite = LT; + toWrite = LT.clone(); break; case '"' : - toWrite = QUOT; + toWrite = QUOT.clone(); break; case 0x09 : // '\t' - toWrite = X9; + toWrite = X9.clone(); break; case 0x0A : // '\n' - toWrite = XA; + toWrite = XA.clone(); break; case 0x0D : // '\r' - toWrite = XD; + toWrite = XD.clone(); break; default : @@ -750,7 +752,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { if (position == NODE_AFTER_DOCUMENT_ELEMENT) { writer.write('\n'); } - writer.write(BEGIN_PI); + writer.write(BEGIN_PI.clone()); final String target = currentPI.getTarget(); int length = target.length(); @@ -758,7 +760,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { for (int i = 0; i < length; i++) { char c = target.charAt(i); if (c == 0x0D) { - writer.write(XD); + writer.write(XD.clone()); } else { if (c < 0x80) { writer.write(c); @@ -778,14 +780,14 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { for (int i = 0; i < length; i++) { char c = data.charAt(i); if (c == 0x0D) { - writer.write(XD); + writer.write(XD.clone()); } else { UtfHelpper.writeCharToUtf8(c, writer); } } } - writer.write(END_PI); + writer.write(END_PI.clone()); if (position == NODE_BEFORE_DOCUMENT_ELEMENT) { writer.write('\n'); } @@ -804,7 +806,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { if (position == NODE_AFTER_DOCUMENT_ELEMENT) { writer.write('\n'); } - writer.write(BEGIN_COMM); + writer.write(BEGIN_COMM.clone()); final String data = currentComment.getData(); final int length = data.length(); @@ -812,7 +814,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { for (int i = 0; i < length; i++) { char c = data.charAt(i); if (c == 0x0D) { - writer.write(XD); + writer.write(XD.clone()); } else { if (c < 0x80) { writer.write(c); @@ -822,7 +824,7 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { } } - writer.write(END_COMM); + writer.write(END_COMM.clone()); if (position == NODE_BEFORE_DOCUMENT_ELEMENT) { writer.write('\n'); } @@ -846,19 +848,19 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { switch (c) { case '&' : - toWrite = AMP; + toWrite = AMP.clone(); break; case '<' : - toWrite = LT; + toWrite = LT.clone(); break; case '>' : - toWrite = GT; + toWrite = GT.clone(); break; case 0xD : - toWrite = XD; + toWrite = XD.clone(); break; default :