8028111: XML readers share the same entity expansion counter

Reviewed-by: alanb, lancea, dfuchs, ahgross

jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java

@@ -79,7 +79,7 @@ public final class XalanConstants {
     /**
      * JDK maximum general entity size limit
      */
-    public static final String JDK_GENEAL_ENTITY_SIZE_LIMIT =
+    public static final String JDK_GENERAL_ENTITY_SIZE_LIMIT =
             ORACLE_JAXP_PROPERTY_PREFIX + "maxGeneralEntitySizeLimit";
     /**
      * JDK maximum parameter entity size limit
@@ -129,7 +129,7 @@ public final class XalanConstants {
     /**
      * JDK maximum general entity size limit
      */
-    public static final String SP_GENEAL_ENTITY_SIZE_LIMIT = "jdk.xml.maxGeneralEntitySizeLimit";
+    public static final String SP_GENERAL_ENTITY_SIZE_LIMIT = "jdk.xml.maxGeneralEntitySizeLimit";
     /**
      * JDK maximum parameter entity size limit
      */

jaxp/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityManager.java

@@ -73,8 +73,8 @@ public final class XMLSecurityManager {
                 XalanConstants.SP_ELEMENT_ATTRIBUTE_LIMIT, 0, 10000),
         TOTAL_ENTITY_SIZE_LIMIT(XalanConstants.JDK_TOTAL_ENTITY_SIZE_LIMIT,
                 XalanConstants.SP_TOTAL_ENTITY_SIZE_LIMIT, 0, 50000000),
-        GENEAL_ENTITY_SIZE_LIMIT(XalanConstants.JDK_GENEAL_ENTITY_SIZE_LIMIT,
-                XalanConstants.SP_GENEAL_ENTITY_SIZE_LIMIT, 0, 0),
+        GENERAL_ENTITY_SIZE_LIMIT(XalanConstants.JDK_GENERAL_ENTITY_SIZE_LIMIT,
+                XalanConstants.SP_GENERAL_ENTITY_SIZE_LIMIT, 0, 0),
         PARAMETER_ENTITY_SIZE_LIMIT(XalanConstants.JDK_PARAMETER_ENTITY_SIZE_LIMIT,
                 XalanConstants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000);
 

jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java

@@ -240,7 +240,7 @@ public final class Constants {
     /**
      * JDK maximum general entity size limit
      */
-    public static final String JDK_GENEAL_ENTITY_SIZE_LIMIT =
+    public static final String JDK_GENERAL_ENTITY_SIZE_LIMIT =
             ORACLE_JAXP_PROPERTY_PREFIX + "maxGeneralEntitySizeLimit";
     /**
      * JDK maximum parameter entity size limit
@@ -287,7 +287,7 @@ public final class Constants {
     /**
      * JDK maximum general entity size limit
      */
-    public static final String SP_GENEAL_ENTITY_SIZE_LIMIT = "jdk.xml.maxGeneralEntitySizeLimit";
+    public static final String SP_GENERAL_ENTITY_SIZE_LIMIT = "jdk.xml.maxGeneralEntitySizeLimit";
     /**
      * JDK maximum parameter entity size limit
      */

jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDTDScannerImpl.java

@@ -44,6 +44,7 @@ import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
 import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler;
 import com.sun.org.apache.xerces.internal.impl.Constants;
+import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.xml.internal.stream.Entity;
 
@@ -262,6 +263,11 @@ implements XMLDTDScanner, XMLComponent, XMLEntityHandler {
         fEntityManager.startDTDEntity(inputSource);
     } // setInputSource(XMLInputSource)
 
+
+    public void setLimitAnalyzer(XMLLimitAnalyzer limitAnalyzer) {
+        fLimitAnalyzer = limitAnalyzer;
+    }
+
     /**
      * Scans the external subset of the document.
      *
@@ -1625,10 +1631,10 @@ implements XMLDTDScanner, XMLComponent, XMLEntityHandler {
         XMLString literal = fString;
         XMLString literal2 = fString;
         int countChar = 0;
-        if (fLimitAnalyzer == null && fSecurityManager != null) {
-            fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
-            fLimitAnalyzer.startEntity(entityName);
-        }
+        if (fLimitAnalyzer == null ) {
+            fLimitAnalyzer = new XMLLimitAnalyzer();
+         }
+        fLimitAnalyzer.startEntity(entityName);
 
         if (fEntityScanner.scanLiteral(quote, fString) != quote) {
             fStringBuffer.clear();
@@ -2145,6 +2151,8 @@ implements XMLDTDScanner, XMLComponent, XMLEntityHandler {
         // set starting state
         setScannerState(SCANNER_STATE_TEXT_DECL);
         //new SymbolTable());
+
+        fLimitAnalyzer = new XMLLimitAnalyzer();
     }
 
     /**
@@ -2164,18 +2172,18 @@ implements XMLDTDScanner, XMLComponent, XMLEntityHandler {
      */
     private void checkLimit(String entityName, int len) {
         if (fLimitAnalyzer == null) {
-            fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
+            fLimitAnalyzer = new XMLLimitAnalyzer();
         }
         fLimitAnalyzer.addValue(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT, entityName, len);
-        if (fSecurityManager.isOverLimit(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT)) {
-                    fSecurityManager.debugPrint();
+        if (fSecurityManager.isOverLimit(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT, fLimitAnalyzer)) {
+                    fSecurityManager.debugPrint(fLimitAnalyzer);
             reportFatalError("MaxEntitySizeLimit", new Object[]{entityName,
                 fLimitAnalyzer.getValue(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT),
                 fSecurityManager.getLimit(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT),
                 fSecurityManager.getStateLiteral(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT)});
         }
-        if (fSecurityManager.isOverLimit(XMLSecurityManager.Limit.TOTAL_ENTITY_SIZE_LIMIT)) {
-            fSecurityManager.debugPrint();
+        if (fSecurityManager.isOverLimit(XMLSecurityManager.Limit.TOTAL_ENTITY_SIZE_LIMIT, fLimitAnalyzer)) {
+            fSecurityManager.debugPrint(fLimitAnalyzer);
             reportFatalError("TotalEntitySizeLimit",
                 new Object[]{fLimitAnalyzer.getTotalValue(XMLSecurityManager.Limit.TOTAL_ENTITY_SIZE_LIMIT),
                 fSecurityManager.getLimit(XMLSecurityManager.Limit.TOTAL_ENTITY_SIZE_LIMIT),

jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java

@@ -659,12 +659,12 @@ public class XMLDocumentFragmentScannerImpl
         dtdGrammarUtil = null;
 
         if (fSecurityManager != null) {
-            fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
             fElementAttributeLimit = fSecurityManager.getLimit(XMLSecurityManager.Limit.ELEMENT_ATTRIBUTE_LIMIT);
         } else {
-            fLimitAnalyzer = null;
             fElementAttributeLimit = 0;
         }
+        fLimitAnalyzer = new XMLLimitAnalyzer();
+        fEntityManager.setLimitAnalyzer(fLimitAnalyzer);
     }
 
     /**
@@ -3154,16 +3154,16 @@ public class XMLDocumentFragmentScannerImpl
          */
         protected void checkLimit(XMLStringBuffer buffer) {
             if (fLimitAnalyzer.isTracking(fCurrentEntityName)) {
-                fLimitAnalyzer.addValue(Limit.GENEAL_ENTITY_SIZE_LIMIT, fCurrentEntityName, buffer.length);
-                if (fSecurityManager.isOverLimit(Limit.GENEAL_ENTITY_SIZE_LIMIT)) {
-                    fSecurityManager.debugPrint();
+                fLimitAnalyzer.addValue(Limit.GENERAL_ENTITY_SIZE_LIMIT, fCurrentEntityName, buffer.length);
+                if (fSecurityManager.isOverLimit(Limit.GENERAL_ENTITY_SIZE_LIMIT, fLimitAnalyzer)) {
+                    fSecurityManager.debugPrint(fLimitAnalyzer);
                     reportFatalError("MaxEntitySizeLimit", new Object[]{fCurrentEntityName,
-                        fLimitAnalyzer.getValue(Limit.GENEAL_ENTITY_SIZE_LIMIT),
-                        fSecurityManager.getLimit(Limit.GENEAL_ENTITY_SIZE_LIMIT),
-                        fSecurityManager.getStateLiteral(Limit.GENEAL_ENTITY_SIZE_LIMIT)});
+                        fLimitAnalyzer.getValue(Limit.GENERAL_ENTITY_SIZE_LIMIT),
+                        fSecurityManager.getLimit(Limit.GENERAL_ENTITY_SIZE_LIMIT),
+                        fSecurityManager.getStateLiteral(Limit.GENERAL_ENTITY_SIZE_LIMIT)});
                 }
-                if (fSecurityManager.isOverLimit(Limit.TOTAL_ENTITY_SIZE_LIMIT)) {
-                    fSecurityManager.debugPrint();
+                if (fSecurityManager.isOverLimit(Limit.TOTAL_ENTITY_SIZE_LIMIT, fLimitAnalyzer)) {
+                    fSecurityManager.debugPrint(fLimitAnalyzer);
                     reportFatalError("TotalEntitySizeLimit",
                         new Object[]{fLimitAnalyzer.getTotalValue(Limit.TOTAL_ENTITY_SIZE_LIMIT),
                         fSecurityManager.getLimit(Limit.TOTAL_ENTITY_SIZE_LIMIT),

jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentScannerImpl.java

@@ -1090,6 +1090,8 @@ public class XMLDocumentScannerImpl
 
                     ((XMLDTDScannerImpl)fDTDScanner).reset(fPropertyManager);
                 }
+
+                fDTDScanner.setLimitAnalyzer(fLimitAnalyzer);
                 do {
                     again = false;
                     switch (fScannerState) {

jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java

@@ -1300,8 +1300,8 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
         if(fLimitAnalyzer != null) {
            fLimitAnalyzer.addValue(entityExpansionIndex, name, 1);
         }
-        if( fSecurityManager != null && fSecurityManager.isOverLimit(entityExpansionIndex)){
-            fSecurityManager.debugPrint();
+        if( fSecurityManager != null && fSecurityManager.isOverLimit(entityExpansionIndex, fLimitAnalyzer)){
+            fSecurityManager.debugPrint(fLimitAnalyzer);
             fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN,"EntityExpansionLimitExceeded",
                     new Object[]{fSecurityManager.getLimitValueByIndex(entityExpansionIndex)},
                                              XMLErrorReporter.SEVERITY_FATAL_ERROR );
@@ -1368,9 +1368,9 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
             //close the reader
             try{
                 if (fLimitAnalyzer != null) {
-                    fLimitAnalyzer.endEntity(XMLSecurityManager.Limit.GENEAL_ENTITY_SIZE_LIMIT, fCurrentEntity.name);
+                    fLimitAnalyzer.endEntity(XMLSecurityManager.Limit.GENERAL_ENTITY_SIZE_LIMIT, fCurrentEntity.name);
                     if (fCurrentEntity.name.equals("[xml]")) {
-                        fSecurityManager.debugPrint();
+                        fSecurityManager.debugPrint(fLimitAnalyzer);
                     }
                 }
                 fCurrentEntity.close();
@@ -1439,7 +1439,6 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
         fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
 
         fSecurityManager = (XMLSecurityManager)propertyManager.getProperty(SECURITY_MANAGER);
-        fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
 
         // initialize state
         //fStandalone = false;
@@ -1501,7 +1500,6 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
         fStaxEntityResolver = (StaxEntityResolverWrapper)componentManager.getProperty(STAX_ENTITY_RESOLVER, null);
         fValidationManager = (ValidationManager)componentManager.getProperty(VALIDATION_MANAGER, null);
         fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER, null);
-        fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
         entityExpansionIndex = fSecurityManager.getIndex(Constants.JDK_ENTITY_EXPANSION_LIMIT);
 
         // JAXP 1.5 feature
@@ -1659,7 +1657,6 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
             if (suffixLength == Constants.SECURITY_MANAGER_PROPERTY.length() &&
                 propertyId.endsWith(Constants.SECURITY_MANAGER_PROPERTY)) {
                 fSecurityManager = (XMLSecurityManager)value;
-                fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
             }
         }
 
@@ -1668,8 +1665,13 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
         {
             XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)value;
             fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
-            }
         }
+    }
+
+    public void setLimitAnalyzer(XMLLimitAnalyzer fLimitAnalyzer) {
+        this.fLimitAnalyzer = fLimitAnalyzer;
+    }
+
     /**
      * Returns a list of property identifiers that are recognized by
      * this component. This method may return null if no properties

jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLLimitAnalyzer.java

@@ -77,7 +77,6 @@ public final class XMLLimitAnalyzer {
         }
     }
 
-    private XMLSecurityManager securityManager;
     /**
      * Max value accumulated for each property
      */
@@ -101,8 +100,7 @@ public final class XMLLimitAnalyzer {
      * Default constructor. Establishes default values for known security
      * vulnerabilities.
      */
-    public XMLLimitAnalyzer(XMLSecurityManager securityManager) {
-        this.securityManager = securityManager;
+    public XMLLimitAnalyzer() {
         values = new int[Limit.values().length];
         totalValue = new int[Limit.values().length];
         names = new String[Limit.values().length];
@@ -157,7 +155,7 @@ public final class XMLLimitAnalyzer {
         }
 
 
-        if (index == Limit.GENEAL_ENTITY_SIZE_LIMIT.ordinal() ||
+        if (index == Limit.GENERAL_ENTITY_SIZE_LIMIT.ordinal() ||
                 index == Limit.PARAMETER_ENTITY_SIZE_LIMIT.ordinal()) {
             totalValue[Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()] += value;
         }
@@ -221,7 +219,7 @@ public final class XMLLimitAnalyzer {
         }
     }
 
-    public void debugPrint() {
+    public void debugPrint(XMLSecurityManager securityManager) {
         Formatter formatter = new Formatter();
         System.out.println(formatter.format("%30s %15s %15s %15s %30s",
                 "Property","Limit","Total size","Size","Entity Name"));

jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java

@@ -65,7 +65,7 @@ public final class XMLSecurityManager {
         MAX_OCCUR_NODE_LIMIT(Constants.JDK_MAX_OCCUR_LIMIT, Constants.SP_MAX_OCCUR_LIMIT, 0, 5000),
         ELEMENT_ATTRIBUTE_LIMIT(Constants.JDK_ELEMENT_ATTRIBUTE_LIMIT, Constants.SP_ELEMENT_ATTRIBUTE_LIMIT, 0, 10000),
         TOTAL_ENTITY_SIZE_LIMIT(Constants.JDK_TOTAL_ENTITY_SIZE_LIMIT, Constants.SP_TOTAL_ENTITY_SIZE_LIMIT, 0, 50000000),
-        GENEAL_ENTITY_SIZE_LIMIT(Constants.JDK_GENEAL_ENTITY_SIZE_LIMIT, Constants.SP_GENEAL_ENTITY_SIZE_LIMIT, 0, 0),
+        GENERAL_ENTITY_SIZE_LIMIT(Constants.JDK_GENERAL_ENTITY_SIZE_LIMIT, Constants.SP_GENERAL_ENTITY_SIZE_LIMIT, 0, 0),
         PARAMETER_ENTITY_SIZE_LIMIT(Constants.JDK_PARAMETER_ENTITY_SIZE_LIMIT, Constants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000);
 
         final String apiProperty;
@@ -148,7 +148,6 @@ public final class XMLSecurityManager {
     private boolean[] isSet;
 
 
-    private XMLLimitAnalyzer limitAnalyzer;
     /**
      * Index of the special entityCountInfo property
      */
@@ -169,7 +168,6 @@ public final class XMLSecurityManager {
      * @param secureProcessing
      */
     public XMLSecurityManager(boolean secureProcessing) {
-        limitAnalyzer = new XMLLimitAnalyzer(this);
         values = new int[Limit.values().length];
         states = new State[Limit.values().length];
         isSet = new boolean[Limit.values().length];
@@ -249,13 +247,15 @@ public final class XMLSecurityManager {
         if (index == indexEntityCountInfo) {
             printEntityCountInfo = (String)value;
         } else {
-            int temp = 0;
-            try {
+            int temp;
+            if (Integer.class.isAssignableFrom(value.getClass())) {
+                temp = ((Integer)value).intValue();
+            } else {
                 temp = Integer.parseInt((String) value);
                 if (temp < 0) {
                     temp = 0;
                 }
-            } catch (NumberFormatException e) {}
+            }
             setLimit(index, state, temp);
         }
     }
@@ -387,8 +387,9 @@ public final class XMLSecurityManager {
      * @param size the size (count or length) of the entity
      * @return true if the size is over the limit, false otherwise
      */
-    public boolean isOverLimit(Limit limit, String entityName, int size) {
-        return isOverLimit(limit.ordinal(), entityName, size);
+    public boolean isOverLimit(Limit limit, String entityName, int size,
+            XMLLimitAnalyzer limitAnalyzer) {
+        return isOverLimit(limit.ordinal(), entityName, size, limitAnalyzer);
     }
 
     /**
@@ -400,7 +401,8 @@ public final class XMLSecurityManager {
      * @param size the size (count or length) of the entity
      * @return true if the size is over the limit, false otherwise
      */
-    public boolean isOverLimit(int index, String entityName, int size) {
+    public boolean isOverLimit(int index, String entityName, int size,
+            XMLLimitAnalyzer limitAnalyzer) {
         if (values[index] == NO_LIMIT) {
             return false;
         }
@@ -418,11 +420,11 @@ public final class XMLSecurityManager {
      * @param size the size (count or length) of the entity
      * @return true if the size is over the limit, false otherwise
      */
-    public boolean isOverLimit(Limit limit) {
-        return isOverLimit(limit.ordinal());
+    public boolean isOverLimit(Limit limit, XMLLimitAnalyzer limitAnalyzer) {
+        return isOverLimit(limit.ordinal(), limitAnalyzer);
     }
 
-    public boolean isOverLimit(int index) {
+    public boolean isOverLimit(int index, XMLLimitAnalyzer limitAnalyzer) {
         if (values[index] == NO_LIMIT) {
             return false;
         }
@@ -436,29 +438,12 @@ public final class XMLSecurityManager {
         }
     }
 
-    public void debugPrint() {
+    public void debugPrint(XMLLimitAnalyzer limitAnalyzer) {
         if (printEntityCountInfo.equals(Constants.JDK_YES)) {
-            limitAnalyzer.debugPrint();
+            limitAnalyzer.debugPrint(this);
         }
     }
 
-    /**
-     * Return the limit analyzer
-     *
-     * @return the limit analyzer
-     */
-    public XMLLimitAnalyzer getLimitAnalyzer() {
-        return limitAnalyzer;
-    }
-
-    /**
-     * Set limit analyzer
-     *
-     * @param analyzer a limit analyzer
-     */
-    public void setLimitAnalyzer(XMLLimitAnalyzer analyzer) {
-        limitAnalyzer = analyzer;
-    }
 
     /**
      * Indicate if a property is set explicitly

jaxp/src/com/sun/org/apache/xerces/internal/xni/parser/XMLDTDScanner.java

@@ -20,6 +20,7 @@
 
 package com.sun.org.apache.xerces.internal.xni.parser;
 
+import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer;
 import java.io.IOException;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 
@@ -95,4 +96,5 @@ public interface XMLDTDScanner
     public boolean scanDTDExternalSubset(boolean complete)
         throws IOException, XNIException;
 
+    public void setLimitAnalyzer(XMLLimitAnalyzer limitAnalyzer);
 } // interface XMLDTDScanner