8270492: Better resolution of URIs

Reviewed-by: lancea, naoto, ahgross, rhalade
2021-09-09 17:41:56 +00:00 · 2021-09-09 17:41:56 +00:00 · 78b2c8419b
commit 78b2c8419b
parent 3adc111766
4 changed files with 54 additions and 8 deletions
--- a/src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/dom/LoadDocument.java
+++ b/src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/dom/LoadDocument.java
@ -39,7 +39,7 @@ import jdk.xml.internal.SecuritySupport;

 /**
 * @author Morten Jorgensen
- * @LastModified: May 2021
+ * @LastModified: Sept 2021
 */
 public final class LoadDocument {

@ -190,6 +190,9 @@ public final class LoadDocument {
        if (cache != null) {
            newdom = cache.retrieveDocument(base, originalUri, translet);
            if (newdom == null) {
+                if (translet.getAccessError() != null) {
+                    throw new Exception(translet.getAccessError());
+                }
                final Exception e = new FileNotFoundException(originalUri);
                throw new TransletException(e);
            }
--- a/src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTranslet.java
+++ b/src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTranslet.java
@ -54,7 +54,7 @@ import org.w3c.dom.Document;
 * @author Morten Jorgensen
 * @author G. Todd Miller
 * @author John Howard, JohnH@schemasoft.com
- * @LastModified: May 2021
+ * @LastModified: Sept 2021
 */
 public abstract class AbstractTranslet implements Translet {

@ -116,6 +116,9 @@ public abstract class AbstractTranslet implements Translet {
     */
    private String _accessExternalStylesheet = JdkConstants.EXTERNAL_ACCESS_DEFAULT;

+    // The error message when access to exteranl resources is rejected
+    private String _accessErr = null;
+
    /************************************************************************
     * Debugging
     ************************************************************************/
@ -786,6 +789,20 @@ public abstract class AbstractTranslet implements Translet {
        _accessExternalStylesheet = protocols;
    }

+    /**
+     * Returns the access error.
+     */
+    public String getAccessError() {
+        return _accessErr;
+    }
+
+    /**
+     * Sets the access error.
+     */
+    public void setAccessError(String accessErr) {
+        this._accessErr = accessErr;
+    }
+
    /************************************************************************
     * DOMImplementation caching for basis library
     ************************************************************************/
--- a/src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java
+++ b/src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java
@ -101,7 +101,7 @@ import org.xml.sax.ext.LexicalHandler;
 * @author Morten Jorgensen
 * @author G. Todd Miller
 * @author Santiago Pericas-Geertsen
- * @LastModified: June 2021
+ * @LastModified: Sept 2021
 */
 public final class TransformerImpl extends Transformer
    implements DOMCache
@ -1351,8 +1351,33 @@ public final class TransformerImpl extends Transformer
            }

            if (resolvedSource == null)  {
-                StreamSource streamSource = new StreamSource(
-                     SystemIDResolver.getAbsoluteURI(href, baseURI));
+                /**
+                 * Uses the translet to carry over error msg.
+                 * Performs the access check without any interface changes
+                 * (e.g. Translet and DOMCache).
+                 */
+                @SuppressWarnings("unchecked") //AbstractTranslet is the sole impl.
+                AbstractTranslet t = (AbstractTranslet)translet;
+                String systemId = SystemIDResolver.getAbsoluteURI(href, baseURI);
+                String errMsg = null;
+                try {
+                    String accessError = SecuritySupport.checkAccess(systemId,
+                            t.getAllowedProtocols(),
+                            JdkConstants.ACCESS_EXTERNAL_ALL);
+                    if (accessError != null) {
+                        ErrorMsg msg = new ErrorMsg(ErrorMsg.ACCESSING_XSLT_TARGET_ERR,
+                                SecuritySupport.sanitizePath(href), accessError);
+                        errMsg = msg.toString();
+                    }
+                } catch (IOException ioe) {
+                    errMsg = ioe.getMessage();
+                }
+                if (errMsg != null) {
+                    t.setAccessError(errMsg);
+                    return null;
+                }
+
+                StreamSource streamSource = new StreamSource(systemId);
                return getDOM(streamSource) ;
            }

--- a/src/java.xml/share/classes/com/sun/org/apache/xml/internal/utils/SystemIDResolver.java
+++ b/src/java.xml/share/classes/com/sun/org/apache/xml/internal/utils/SystemIDResolver.java
@ -1,6 +1,5 @@
 /*
- * reserved comment block
- * DO NOT REMOVE OR ALTER!
+ * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
 */
 /*
 * Licensed to the Apache Software Foundation (ASF) under one or more
@ -35,6 +34,8 @@ import com.sun.org.apache.xml.internal.utils.URI.MalformedURIException;
 * fact that it's declared to throw TransformerException.  Please
 * see code comments for details on how resolution is performed.</p>
 * @xsl.usage internal
+ *
+ * @LastModified: Sept 2021
 */
 public class SystemIDResolver
 {
@ -275,7 +276,7 @@ public class SystemIDResolver
  public static String getAbsoluteURI(String urlString, String base)
          throws TransformerException
  {
-    if (base == null)
+    if (base == null || base.length() == 0)
      return getAbsoluteURI(urlString);

    String absoluteBase = getAbsoluteURI(base);