stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge

Browse Source
This commit is contained in:
Lana Steuck 2013-07-22 17:29:05 -07:00
commit c47454aac9
25 changed files with 786 additions and 230 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java
View File

@ -73,13 +73,39 @@ public final class XalanConstants {
* Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true
*/
public static final String EXTERNAL_ACCESS_DEFAULT_FSP = "";
/**
* JDK version by which the default is to restrict external connection
*/
public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8;
/**
* FEATURE_SECURE_PROCESSING (FSP) is false by default
*/
public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL;
public static final String XML_SECURITY_PROPERTY_MANAGER =
ORACLE_JAXP_PROPERTY_PREFIX + "xmlSecurityPropertyManager";
/**
* Check if we're in jdk8 or above
*/
public static final boolean IS_JDK8_OR_ABOVE = isJavaVersionAtLeast(8);
/*
* Check the version of the current JDK against that specified in the
* parameter
*
* There is a proposal to change the java version string to:
* MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL
* This method would work with both the current format and that proposed
*
* @param compareTo a JDK version to be compared to
* @return true if the current version is the same or above that represented
* by the parameter
*/
public static boolean isJavaVersionAtLeast(int compareTo) {
String javaVersion = SecuritySupport.getSystemProperty("java.version");
String versions[] = javaVersion.split("\\.", 3);
if (Integer.parseInt(versions[0]) >= compareTo ||
Integer.parseInt(versions[1]) >= compareTo) {
return true;
}
return false;
}
} // class Constants

16
jaxp/src/com/sun/org/apache/xalan/internal/utils/SecuritySupport.java
View File

@ -229,7 +229,8 @@ public final class SecuritySupport {
* @return the name of the protocol if rejected, null otherwise
*/
public static String checkAccess(String systemId, String allowedProtocols, String accessAny) throws IOException {
if (systemId == null || allowedProtocols.equalsIgnoreCase(accessAny)) {
if (systemId == null || (allowedProtocols != null &&
allowedProtocols.equalsIgnoreCase(accessAny))) {
return null;
}
@ -262,6 +263,9 @@ public final class SecuritySupport {
* @return true if the protocol is in the list
*/
private static boolean isProtocolAllowed(String protocol, String allowedProtocols) {
if (allowedProtocols == null) {
return false;
}
String temp[] = allowedProtocols.split(",");
for (String t : temp) {
t = t.trim();
@ -273,18 +277,16 @@ public final class SecuritySupport {
}
/**
* Read from $java.home/lib/jaxp.properties for the specified property
* Read JAXP system property in this order: system property,
* $java.home/lib/jaxp.properties if the system property is not specified
*
* @param propertyId the Id of the property
* @return the value of the property
*/
public static String getDefaultAccessProperty(String sysPropertyId, String defaultVal) {
String accessExternal = SecuritySupport.getSystemProperty(sysPropertyId);
public static String getJAXPSystemProperty(String sysPropertyId) {
String accessExternal = getSystemProperty(sysPropertyId);
if (accessExternal == null) {
accessExternal = readJAXPProperty(sysPropertyId);
if (accessExternal == null) {
accessExternal = defaultVal;
}
}
return accessExternal;
}

192
jaxp/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityPropertyManager.java Normal file
View File

@ -0,0 +1,192 @@
/*
* Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package com.sun.org.apache.xalan.internal.utils;
import com.sun.org.apache.xalan.internal.XalanConstants;
import javax.xml.XMLConstants;
/**
* This class manages security related properties
*
*/
public final class XMLSecurityPropertyManager {
/**
* States of the settings of a property, in the order: default value, value
* set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
* properties, and jaxp api properties
*/
public static enum State {
//this order reflects the overriding order
DEFAULT, FSP, JAXPDOTPROPERTIES, SYSTEMPROPERTY, APIPROPERTY
}
/**
* Limits managed by the security manager
*/
public static enum Property {
ACCESS_EXTERNAL_DTD(XMLConstants.ACCESS_EXTERNAL_DTD,
XalanConstants.EXTERNAL_ACCESS_DEFAULT),
ACCESS_EXTERNAL_STYLESHEET(XMLConstants.ACCESS_EXTERNAL_STYLESHEET,
XalanConstants.EXTERNAL_ACCESS_DEFAULT);
final String name;
final String defaultValue;
Property(String name, String value) {
this.name = name;
this.defaultValue = value;
}
public boolean equalsName(String propertyName) {
return (propertyName == null) ? false : name.equals(propertyName);
}
String defaultValue() {
return defaultValue;
}
}
/**
* Values of the properties as defined in enum Properties
*/
private final String[] values;
/**
* States of the settings for each property in Properties above
*/
private State[] states = {State.DEFAULT, State.DEFAULT};
/**
* Default constructor. Establishes default values
*/
public XMLSecurityPropertyManager() {
values = new String[Property.values().length];
for (Property property : Property.values()) {
values[property.ordinal()] = property.defaultValue();
}
//read system properties or jaxp.properties
readSystemProperties();
}
/**
* Set the value for a specific property.
*
* @param property the property
* @param state the state of the property
* @param value the value of the property
*/
public void setValue(Property property, State state, String value) {
//only update if it shall override
if (state.compareTo(states[property.ordinal()]) >= 0) {
values[property.ordinal()] = value;
states[property.ordinal()] = state;
}
}
/**
* Set the value of a property by its index
* @param index the index of the property
* @param state the state of the property
* @param value the value of the property
*/
public void setValue(int index, State state, String value) {
//only update if it shall override
if (state.compareTo(states[index]) >= 0) {
values[index] = value;
states[index] = state;
}
}
/**
* Return the value of the specified property
*
* @param property the property
* @return the value of the property
*/
public String getValue(Property property) {
return values[property.ordinal()];
}
/**
* Return the value of a property by its ordinal
* @param index the index of a property
* @return value of a property
*/
public String getValueByIndex(int index) {
return values[index];
}
/**
* Get the index by property name
* @param propertyName property name
* @return the index of the property if found; return -1 if not
*/
public int getIndex(String propertyName){
for (Property property : Property.values()) {
if (property.equalsName(propertyName)) {
//internally, ordinal is used as index
return property.ordinal();
}
}
return -1;
}
/**
* Read from system properties, or those in jaxp.properties
*/
private void readSystemProperties() {
getSystemProperty(Property.ACCESS_EXTERNAL_DTD,
XalanConstants.SP_ACCESS_EXTERNAL_DTD);
getSystemProperty(Property.ACCESS_EXTERNAL_STYLESHEET,
XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET);
}
/**
* Read from system properties, or those in jaxp.properties
*
* @param property the property
* @param systemProperty the name of the system property
*/
private void getSystemProperty(Property property, String systemProperty) {
try {
String value = SecuritySupport.getSystemProperty(systemProperty);
if (value != null) {
values[property.ordinal()] = value;
states[property.ordinal()] = State.SYSTEMPROPERTY;
return;
}
value = SecuritySupport.readJAXPProperty(systemProperty);
if (value != null) {
values[property.ordinal()] = value;
states[property.ordinal()] = State.JAXPDOTPROPERTIES;
}
} catch (NumberFormatException e) {
//invalid setting ignored
}
}
}

55
jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java
View File

@ -27,6 +27,9 @@ import com.sun.org.apache.xalan.internal.XalanConstants;
import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
import com.sun.org.apache.xalan.internal.utils.ObjectFactory;
import com.sun.org.apache.xalan.internal.utils.SecuritySupport;
import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.Property;
import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.State;
import com.sun.org.apache.xalan.internal.xsltc.compiler.Constants;
import com.sun.org.apache.xalan.internal.xsltc.compiler.SourceLoader;
import com.sun.org.apache.xalan.internal.xsltc.compiler.XSLTC;
@ -215,11 +218,13 @@ public class TransformerFactoryImpl
* protocols allowed for external references set by the stylesheet processing instruction, Import and Include element.
*/
private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
/**
* protocols allowed for external DTD references in source file and/or stylesheet.
*/
private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
private XMLSecurityPropertyManager _xmlSecurityPropertyMgr;
/**
* javax.xml.transform.sax.TransformerFactory implementation.
@ -235,15 +240,16 @@ public class TransformerFactoryImpl
private TransformerFactoryImpl(boolean useServicesMechanism) {
this._useServicesMechanism = useServicesMechanism;
String defaultAccess = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
if (System.getSecurityManager() != null) {
_isSecureMode = true;
_isNotSecureProcessing = false;
}
_accessExternalStylesheet = SecuritySupport.getDefaultAccessProperty(
XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET, defaultAccess);
_accessExternalDTD = SecuritySupport.getDefaultAccessProperty(
XalanConstants.SP_ACCESS_EXTERNAL_DTD, defaultAccess);
_xmlSecurityPropertyMgr = new XMLSecurityPropertyManager();
_accessExternalDTD = _xmlSecurityPropertyMgr.getValue(
Property.ACCESS_EXTERNAL_DTD);
_accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
Property.ACCESS_EXTERNAL_STYLESHEET);
}
/**
@ -306,11 +312,10 @@ public class TransformerFactoryImpl
else
return Boolean.FALSE;
}
else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) {
return _accessExternalStylesheet;
}
else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
return _accessExternalDTD;
int index = _xmlSecurityPropertyMgr.getIndex(name);
if (index > -1) {
return _xmlSecurityPropertyMgr.getValueByIndex(index);
}
// Throw an exception for all other attributes
@ -413,12 +418,15 @@ public class TransformerFactoryImpl
return;
}
}
else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) {
_accessExternalStylesheet = (String)value;
return;
}
else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
_accessExternalDTD = (String)value;
int index = _xmlSecurityPropertyMgr.getIndex(name);
if (index > -1) {
_xmlSecurityPropertyMgr.setValue(index,
State.APIPROPERTY, (String)value);
_accessExternalDTD = _xmlSecurityPropertyMgr.getValue(
Property.ACCESS_EXTERNAL_DTD);
_accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
Property.ACCESS_EXTERNAL_STYLESHEET);
return;
}
@ -466,11 +474,18 @@ public class TransformerFactoryImpl
}
_isNotSecureProcessing = !value;
// set restriction, allowing no access to external stylesheet
if (value) {
_accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP;
_accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP;
// set external access restriction when FSP is explicitly set
if (value && XalanConstants.IS_JDK8_OR_ABOVE) {
_xmlSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_DTD,
State.FSP, XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP);
_xmlSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_STYLESHEET,
State.FSP, XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP);
_accessExternalDTD = _xmlSecurityPropertyMgr.getValue(
Property.ACCESS_EXTERNAL_DTD);
_accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
Property.ACCESS_EXTERNAL_STYLESHEET);
}
return;
}
else if (name.equals(XalanConstants.ORACLE_FEATURE_SERVICE_MECHANISM)) {

25
jaxp/src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java
View File

@ -33,7 +33,7 @@ import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
import com.sun.org.apache.xerces.internal.util.PropertyState;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.utils.ObjectFactory;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler;
import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
@ -156,13 +156,9 @@ public class DOMConfigurationImpl extends ParserConfigurationSettings
protected static final String SCHEMA_DV_FACTORY =
Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY;
/** Property identifier: access to external dtd */
protected static final String ACCESS_EXTERNAL_DTD =
XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: access to external schema */
protected static final String ACCESS_EXTERNAL_SCHEMA =
XMLConstants.ACCESS_EXTERNAL_SCHEMA;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
//
// Data
@ -283,8 +279,7 @@ public class DOMConfigurationImpl extends ParserConfigurationSettings
JAXP_SCHEMA_LANGUAGE,
DTD_VALIDATOR_FACTORY_PROPERTY,
SCHEMA_DV_FACTORY,
ACCESS_EXTERNAL_DTD,
ACCESS_EXTERNAL_SCHEMA
XML_SECURITY_PROPERTY_MANAGER
};
addRecognizedProperties(recognizedProperties);
@ -318,14 +313,8 @@ public class DOMConfigurationImpl extends ParserConfigurationSettings
fValidationManager = createValidationManager();
setProperty(VALIDATION_MANAGER, fValidationManager);
//For DOM, the secure feature is set to true by default
String accessExternal = SecuritySupport.getDefaultAccessProperty(
Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT);
setProperty(ACCESS_EXTERNAL_DTD, accessExternal);
accessExternal = SecuritySupport.getDefaultAccessProperty(
Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
setProperty(ACCESS_EXTERNAL_SCHEMA, accessExternal);
setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER,
new XMLSecurityPropertyManager());
// add message formatters
if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) {

33
jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java
View File

@ -184,6 +184,9 @@ public final class Constants {
public static final String ORACLE_JAXP_PROPERTY_PREFIX =
"http://www.oracle.com/xml/jaxp/properties/";
public static final String XML_SECURITY_PROPERTY_MANAGER =
ORACLE_JAXP_PROPERTY_PREFIX + "xmlSecurityPropertyManager";
//System Properties corresponding to ACCESS_EXTERNAL_* properties
public static final String SP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD";
public static final String SP_ACCESS_EXTERNAL_SCHEMA = "javax.xml.accessExternalSchema";
@ -194,16 +197,17 @@ public final class Constants {
* Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true
*/
public static final String EXTERNAL_ACCESS_DEFAULT_FSP = "";
/**
* JDK version by which the default is to restrict external connection
*/
public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8;
/**
* FEATURE_SECURE_PROCESSING (FSP) is true by default
*/
public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL;
/**
* Check if we're in jdk8 or above
*/
public static final boolean IS_JDK8_OR_ABOVE = isJavaVersionAtLeast(8);
//
// DOM features
//
@ -697,6 +701,27 @@ public final class Constants {
? new ArrayEnumeration(fgXercesProperties) : fgEmptyEnumeration;
} // getXercesProperties():Enumeration
/*
* Check the version of the current JDK against that specified in the
* parameter
*
* There is a proposal to change the java version string to:
* MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL
* This method would work with both the current format and that proposed
*
* @param compareTo a JDK version to be compared to
* @return true if the current version is the same or above that represented
* by the parameter
*/
public static boolean isJavaVersionAtLeast(int compareTo) {
String javaVersion = SecuritySupport.getSystemProperty("java.version");
String versions[] = javaVersion.split("\\.", 3);
if (Integer.parseInt(versions[0]) >= compareTo ||
Integer.parseInt(versions[1]) >= compareTo) {
return true;
}
return false;
}
//
// Classes

38
jaxp/src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java
View File

@ -25,10 +25,9 @@
package com.sun.org.apache.xerces.internal.impl;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.xml.internal.stream.StaxEntityResolverWrapper;
import java.util.HashMap;
import javax.xml.XMLConstants;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLOutputFactory;
import javax.xml.stream.XMLResolver;
@ -51,15 +50,14 @@ public class PropertyManager {
private static final String STRING_INTERNING = "http://xml.org/sax/features/string-interning";
/** Property identifier: access to external dtd */
protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: access to external schema */
protected static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
HashMap supportedProps = new HashMap();
private XMLSecurityPropertyManager fSecurityPropertyMgr;
public static final int CONTEXT_READER = 1;
public static final int CONTEXT_WRITER = 2;
@ -84,6 +82,7 @@ public class PropertyManager {
HashMap properties = propertyManager.getProperties();
supportedProps.putAll(properties);
fSecurityPropertyMgr = (XMLSecurityPropertyManager)getProperty(XML_SECURITY_PROPERTY_MANAGER);
}
private HashMap getProperties(){
@ -125,14 +124,8 @@ public class PropertyManager {
supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_DUPLICATE_ENTITYDEF_FEATURE, new Boolean(false));
supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_UNDECLARED_ELEMDEF_FEATURE, new Boolean(false));
//For DOM/SAX, the secure feature is set to true by default
String accessExternal = SecuritySupport.getDefaultAccessProperty(
Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT);
supportedProps.put(ACCESS_EXTERNAL_DTD, accessExternal);
accessExternal = SecuritySupport.getDefaultAccessProperty(
Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
supportedProps.put(ACCESS_EXTERNAL_SCHEMA, accessExternal);
fSecurityPropertyMgr = new XMLSecurityPropertyManager();
supportedProps.put(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
}
private void initWriterProps(){
@ -148,7 +141,8 @@ public class PropertyManager {
* }
*/
public boolean containsProperty(String property){
return supportedProps.containsKey(property) ;
return supportedProps.containsKey(property) ||
(fSecurityPropertyMgr!=null && fSecurityPropertyMgr.getIndex(property) > -1) ;
}
public Object getProperty(String property){
@ -174,7 +168,15 @@ public class PropertyManager {
//add internal stax property
supportedProps.put( Constants.XERCES_PROPERTY_PREFIX + Constants.STAX_ENTITY_RESOLVER_PROPERTY , new StaxEntityResolverWrapper((XMLResolver)value)) ;
}
supportedProps.put(property, value ) ;
int index = (fSecurityPropertyMgr != null) ? fSecurityPropertyMgr.getIndex(property) : -1;
if (index > -1) {
fSecurityPropertyMgr.setValue(index,
XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
} else {
supportedProps.put(property, value);
}
if(equivalentProperty != null){
supportedProps.put(equivalentProperty, value ) ;
}

29
jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java
View File

@ -53,6 +53,7 @@ import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler;
import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.NamespaceSupport;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.xml.internal.stream.Entity;
import javax.xml.XMLConstants;
@ -166,8 +167,9 @@ public class XMLDocumentFragmentScannerImpl
protected static final String STANDARD_URI_CONFORMANT =
Constants.XERCES_FEATURE_PREFIX +Constants.STANDARD_URI_CONFORMANT_FEATURE;
/** property identifier: access external dtd. */
protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
/** access external dtd: file protocol
* For DOM/SAX, the secure feature is set to true by default
@ -199,7 +201,7 @@ public class XMLDocumentFragmentScannerImpl
SYMBOL_TABLE,
ERROR_REPORTER,
ENTITY_MANAGER,
ACCESS_EXTERNAL_DTD
XML_SECURITY_PROPERTY_MANAGER
};
/** Property defaults. */
@ -610,7 +612,10 @@ public class XMLDocumentFragmentScannerImpl
dtdGrammarUtil = null;
// JAXP 1.5 features and properties
fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT);
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER, null);
fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
fStrictURI = componentManager.getFeature(STANDARD_URI_CONFORMANT, false);
//fEntityManager.test();
@ -662,9 +667,10 @@ public class XMLDocumentFragmentScannerImpl
dtdGrammarUtil = null;
// Oracle jdk feature
fAccessExternalDTD = (String) propertyManager.getProperty(ACCESS_EXTERNAL_DTD);
// JAXP 1.5 features and properties
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
} // reset(XMLComponentManager)
/**
@ -762,11 +768,10 @@ public class XMLDocumentFragmentScannerImpl
}
//JAXP 1.5 properties
if (propertyId.startsWith(Constants.JAXPAPI_PROPERTY_PREFIX)) {
if (propertyId.equals(ACCESS_EXTERNAL_DTD))
{
fAccessExternalDTD = (String)value;
}
if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER))
{
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)value;
fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
}
} // setProperty(String,Object)

28
jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java
View File

@ -31,6 +31,7 @@ import com.sun.org.apache.xerces.internal.util.*;
import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.URI;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
import com.sun.org.apache.xerces.internal.xni.XNIException;
@ -166,8 +167,9 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
protected static final String PARSER_SETTINGS =
Constants.XERCES_FEATURE_PREFIX + Constants.PARSER_SETTINGS;
/** property identifier: access external dtd. */
protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
/** access external dtd: file protocol */
static final String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT;
@ -203,7 +205,7 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
VALIDATION_MANAGER,
BUFFER_SIZE,
SECURITY_MANAGER,
ACCESS_EXTERNAL_DTD
XML_SECURITY_PROPERTY_MANAGER
};
/** Property defaults. */
@ -214,7 +216,7 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
null,
new Integer(DEFAULT_BUFFER_SIZE),
null,
EXTERNAL_ACCESS_DEFAULT
null
};
private static final String XMLEntity = "[xml]".intern();
@ -1421,7 +1423,8 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
fLoadExternalDTD = !((Boolean)propertyManager.getProperty(Constants.ZEPHYR_PROPERTY_PREFIX + Constants.IGNORE_EXTERNAL_DTD)).booleanValue();
// JAXP 1.5 feature
fAccessExternalDTD = (String) propertyManager.getProperty(ACCESS_EXTERNAL_DTD);
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
// initialize state
//fStandalone = false;
@ -1485,7 +1488,11 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER, null);
// JAXP 1.5 feature
fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT);
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER, null);
if (spm == null) {
spm = new XMLSecurityPropertyManager();
}
fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
//reset general state
reset();
@ -1641,11 +1648,10 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
}
//JAXP 1.5 properties
if (propertyId.startsWith(Constants.JAXPAPI_PROPERTY_PREFIX)) {
if (propertyId.equals(ACCESS_EXTERNAL_DTD))
{
fAccessExternalDTD = (String)value;
}
if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER))
{
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)value;
fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
}
}

21
jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaLoader.java
View File

@ -54,6 +54,7 @@ import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription;
@ -218,6 +219,10 @@ XSLoader, DOMConfiguration {
protected static final String ENTITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.ENTITY_MANAGER_PROPERTY;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
/** Property identifier: access to external dtd */
public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
@ -238,8 +243,7 @@ XSLoader, DOMConfiguration {
SECURITY_MANAGER,
LOCALE,
SCHEMA_DV_FACTORY,
ACCESS_EXTERNAL_DTD,
ACCESS_EXTERNAL_SCHEMA
XML_SECURITY_PROPERTY_MANAGER
};
// Data
@ -270,7 +274,6 @@ XSLoader, DOMConfiguration {
private final CMNodeFactory fNodeFactory = new CMNodeFactory(); //component mgr will be set later
private CMBuilder fCMBuilder;
private XSDDescription fXSDDescription = new XSDDescription();
private String faccessExternalDTD = Constants.EXTERNAL_ACCESS_DEFAULT;
private String faccessExternalSchema = Constants.EXTERNAL_ACCESS_DEFAULT;
private Map fJAXPCache;
@ -466,11 +469,9 @@ XSLoader, DOMConfiguration {
fErrorReporter.putMessageFormatter(XSMessageFormatter.SCHEMA_DOMAIN, new XSMessageFormatter());
}
}
else if (propertyId.equals(ACCESS_EXTERNAL_DTD)) {
faccessExternalDTD = (String) state;
}
else if (propertyId.equals(ACCESS_EXTERNAL_SCHEMA)) {
faccessExternalSchema = (String) state;
else if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER)) {
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)state;
faccessExternalSchema = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA);
}
} // setProperty(String, Object)
@ -1066,8 +1067,8 @@ XSLoader, DOMConfiguration {
fSchemaHandler.setGenerateSyntheticAnnotations(componentManager.getFeature(GENERATE_SYNTHETIC_ANNOTATIONS, false));
fSchemaHandler.reset(componentManager);
faccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD);
faccessExternalSchema = (String) componentManager.getProperty(ACCESS_EXTERNAL_SCHEMA);
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
faccessExternalSchema = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA);
}
private void initGrammarBucket(){

11
jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaValidator.java
View File

@ -233,11 +233,9 @@ public class XMLSchemaValidator
protected static final String SCHEMA_DV_FACTORY =
Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY;
/** property identifier: access external dtd. */
private static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: access to external schema */
private static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
protected static final String USE_SERVICE_MECHANISM = Constants.ORACLE_FEATURE_SERVICE_MECHANISM;
@ -297,8 +295,7 @@ public class XMLSchemaValidator
JAXP_SCHEMA_SOURCE,
JAXP_SCHEMA_LANGUAGE,
SCHEMA_DV_FACTORY,
ACCESS_EXTERNAL_DTD,
ACCESS_EXTERNAL_SCHEMA
XML_SECURITY_PROPERTY_MANAGER
};
/** Property defaults. */

34
jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java
View File

@ -78,6 +78,7 @@ import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.QName;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
@ -112,6 +113,7 @@ import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXParseException;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.XMLReaderFactory;
@ -223,11 +225,9 @@ public class XSDHandler {
protected static final String LOCALE =
Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY;
/** property identifier: access external dtd. */
public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: access to external schema */
public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
protected static final boolean DEBUG_NODE_POOL = false;
@ -260,6 +260,7 @@ public class XSDHandler {
protected SecurityManager fSecureProcessing = null;
private String fAccessExternalSchema;
private String fAccessExternalDTD;
// These tables correspond to the symbol spaces defined in the
// spec.
@ -2249,6 +2250,13 @@ public class XSDHandler {
}
}
catch (SAXException se) {}
try {
parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, fAccessExternalDTD);
} catch (SAXNotRecognizedException exc) {
System.err.println("Warning: " + parser.getClass().getName() + ": " +
exc.getMessage());
}
}
// If XML names and Namespace URIs are already internalized we
// can avoid running them through the SymbolTable.
@ -3580,11 +3588,17 @@ public class XSDHandler {
} catch (XMLConfigurationException e) {
}
//For Schema validation, the secure feature is set to true by default
fSchemaParser.setProperty(ACCESS_EXTERNAL_DTD,
componentManager.getProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT));
fAccessExternalSchema = (String) componentManager.getProperty(
ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
XMLSecurityPropertyManager securityPropertyMgr = (XMLSecurityPropertyManager)
componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
//Passing on the setting to the parser
fSchemaParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, securityPropertyMgr);
fAccessExternalDTD = securityPropertyMgr.getValue(
XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
fAccessExternalSchema = securityPropertyMgr.getValue(
XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA);
} // reset(XMLComponentManager)

64
jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java
View File

@ -37,6 +37,9 @@ import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
import com.sun.org.apache.xerces.internal.parsers.DOMParser;
import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.Property;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.State;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@ -97,12 +100,17 @@ public class DocumentBuilderImpl extends DocumentBuilder
private static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
/** property identifier: access external dtd. */
public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: access to external schema */
public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
private final DOMParser domParser;
private final Schema grammar;
@ -117,6 +125,8 @@ public class DocumentBuilderImpl extends DocumentBuilder
/** Initial EntityResolver */
private final EntityResolver fInitEntityResolver;
private XMLSecurityPropertyManager fSecurityPropertyMgr;
DocumentBuilderImpl(DocumentBuilderFactoryImpl dbf, Hashtable dbfAttrs, Hashtable features)
throws SAXNotRecognizedException, SAXNotSupportedException {
this(dbf, dbfAttrs, features, false);
@ -160,23 +170,27 @@ public class DocumentBuilderImpl extends DocumentBuilder
domParser.setFeature(XINCLUDE_FEATURE, true);
}
fSecurityPropertyMgr = new XMLSecurityPropertyManager();
domParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
// If the secure processing feature is on set a security manager.
if (secureProcessing) {
domParser.setProperty(SECURITY_MANAGER, new SecurityManager());
/**
* By default, secure processing is set, no external access is allowed.
* However, we need to check if it is actively set on the factory since we
* allow the use of the System Property or jaxp.properties to override
* the default value
* If secure processing is explicitly set on the factory, the
* access properties will be set unless the corresponding
* System Properties or jaxp.properties are set
*/
if (features != null) {
Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING);
if (temp != null) {
boolean value = ((Boolean) temp).booleanValue();
if (value) {
domParser.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
domParser.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
if (value && Constants.IS_JDK8_OR_ABOVE) {
fSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_DTD,
State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
fSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_SCHEMA,
State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
}
}
}
@ -220,7 +234,7 @@ public class DocumentBuilderImpl extends DocumentBuilder
setFeatures(features);
}
// Set attributes
//setAttribute override those that may be set by other means
setDocumentBuilderFactoryAttributes(dbfAttrs);
// Initial EntityResolver
@ -275,26 +289,32 @@ public class DocumentBuilderImpl extends DocumentBuilder
// spec when schema validation is enabled
domParser.setProperty(JAXP_SCHEMA_LANGUAGE, W3C_XML_SCHEMA);
}
}
} else if(JAXP_SCHEMA_SOURCE.equals(name)){
if( isValidating() ) {
String value=(String)dbfAttrs.get(JAXP_SCHEMA_LANGUAGE);
if(value !=null && W3C_XML_SCHEMA.equals(value)){
domParser.setProperty(name, val);
}else{
}
} else if(JAXP_SCHEMA_SOURCE.equals(name)){
if( isValidating() ) {
String value=(String)dbfAttrs.get(JAXP_SCHEMA_LANGUAGE);
if(value !=null && W3C_XML_SCHEMA.equals(value)){
domParser.setProperty(name, val);
}else{
throw new IllegalArgumentException(
DOMMessageFormatter.formatMessage(DOMMessageFormatter.DOM_DOMAIN,
"jaxp-order-not-supported",
new Object[] {JAXP_SCHEMA_LANGUAGE, JAXP_SCHEMA_SOURCE}));
}
}
} else {
// Let Xerces code handle the property
domParser.setProperty(name, val);
}
}
}
}
} else {
int index = fSecurityPropertyMgr.getIndex(name);
if (index > -1) {
fSecurityPropertyMgr.setValue(index,
XMLSecurityPropertyManager.State.APIPROPERTY, (String)val);
} else {
// Let Xerces code handle the property
domParser.setProperty(name, val);
}
}
}
}
}
/**
* Non-preferred: use the getDOMImplementation() method instead of this

43
jaxp/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java
View File

@ -36,6 +36,7 @@ import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@ -92,11 +93,9 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
private static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
/** property identifier: access external dtd. */
public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: access to external schema */
public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
private final JAXPSAXParser xmlReader;
private String schemaLanguage = null; // null means DTD
@ -113,6 +112,8 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
/** Initial EntityResolver */
private final EntityResolver fInitEntityResolver;
private XMLSecurityPropertyManager fSecurityPropertyMgr;
/**
* Create a SAX parser with the associated features
* @param features Hashtable of SAX features, may be null
@ -149,6 +150,9 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
xmlReader.setFeature0(XINCLUDE_FEATURE, true);
}
fSecurityPropertyMgr = new XMLSecurityPropertyManager();
xmlReader.setProperty0(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
// If the secure processing feature is on set a security manager.
if (secureProcessing) {
xmlReader.setProperty0(SECURITY_MANAGER, new SecurityManager());
@ -162,9 +166,12 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING);
if (temp != null) {
boolean value = ((Boolean) temp).booleanValue();
if (value) {
xmlReader.setProperty0(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
xmlReader.setProperty0(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
if (value && Constants.IS_JDK8_OR_ABOVE) {
fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA,
XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
}
}
}
@ -530,14 +537,21 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
return;
}
}
if (!fInitProperties.containsKey(name)) {
fInitProperties.put(name, super.getProperty(name));
}
/** Forward property to the schema validator if there is one. **/
if (fSAXParser != null && fSAXParser.fSchemaValidator != null) {
setSchemaValidatorProperty(name, value);
}
super.setProperty(name, value);
/** Check to see if the property is managed by the property manager **/
int index = fSAXParser.fSecurityPropertyMgr.getIndex(name);
if (index > -1) {
fSAXParser.fSecurityPropertyMgr.setValue(index,
XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
} else {
if (!fInitProperties.containsKey(name)) {
fInitProperties.put(name, super.getProperty(name));
}
super.setProperty(name, value);
}
}
public synchronized Object getProperty(String name)
@ -550,6 +564,11 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
// JAXP 1.2 support
return fSAXParser.schemaLanguage;
}
int index = fSAXParser.fSecurityPropertyMgr.getIndex(name);
if (index > -1) {
return fSAXParser.fSecurityPropertyMgr.getValueByIndex(index);
}
return super.getProperty(name);
}

4
jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java
View File

@ -177,11 +177,11 @@ final class StreamValidatorHelper implements ValidatorHelper {
}
config.setProperty(SYMBOL_TABLE, fComponentManager.getProperty(SYMBOL_TABLE));
config.setProperty(VALIDATION_MANAGER, fComponentManager.getProperty(VALIDATION_MANAGER));
config.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,
fComponentManager.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD));
config.setDocumentHandler(fSchemaValidator);
config.setDTDHandler(null);
config.setDTDContentModelHandler(null);
config.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER,
fComponentManager.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER));
fConfiguration = new SoftReference(config);
return config;
}

9
jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java
View File

@ -53,6 +53,7 @@ import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.URI;
import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.QName;
@ -134,6 +135,10 @@ final class ValidatorHandlerImpl extends ValidatorHandler implements
private static final String VALIDATION_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.VALIDATION_MANAGER_PROPERTY;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
//
// Data
//
@ -686,8 +691,10 @@ final class ValidatorHandlerImpl extends ValidatorHandler implements
catch (SAXException exc) {}
}
try {
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
fComponentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,
fComponentManager.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD));
spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD));
} catch (SAXException exc) {
System.err.println("Warning: " + reader.getClass().getName() + ": " +
exc.getMessage());

42
jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java
View File

@ -45,7 +45,7 @@ import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.StAXInputSource;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription;
@ -83,11 +83,10 @@ public final class XMLSchemaFactory extends SchemaFactory {
private static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
/** property identifier: access external dtd. */
public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
/** Property identifier: access to external schema */
public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
//
// Data
@ -111,6 +110,9 @@ public final class XMLSchemaFactory extends SchemaFactory {
/** The SecurityManager. */
private SecurityManager fSecurityManager;
/** The Security property manager. */
private XMLSecurityPropertyManager fSecurityPropertyMgr;
/** The container for the real grammar pool. */
private XMLGrammarPoolWrapper fXMLGrammarPoolWrapper;
@ -120,6 +122,8 @@ public final class XMLSchemaFactory extends SchemaFactory {
* Note the default value (false) is the safe option..
*/
private final boolean fUseServicesMechanism;
public XMLSchemaFactory() {
this(true);
}
@ -140,13 +144,9 @@ public final class XMLSchemaFactory extends SchemaFactory {
fSecurityManager = new SecurityManager();
fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
//by default, the secure feature is set to true, otherwise the default would have been 'file'
String accessExternal = SecuritySupport.getDefaultAccessProperty(
Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT);
fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, accessExternal);
accessExternal = SecuritySupport.getDefaultAccessProperty(
Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, accessExternal);
fSecurityPropertyMgr = new XMLSecurityPropertyManager();
fXMLSchemaLoader.setProperty(XML_SECURITY_PROPERTY_MANAGER,
fSecurityPropertyMgr);
}
/**
@ -282,6 +282,7 @@ public final class XMLSchemaFactory extends SchemaFactory {
schema = new EmptyXMLSchema();
}
propagateFeatures(schema);
propagateProperties(schema);
return schema;
}
@ -366,8 +367,13 @@ public final class XMLSchemaFactory extends SchemaFactory {
}
if (value) {
fSecurityManager = new SecurityManager();
fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
if (Constants.IS_JDK8_OR_ABOVE) {
fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA,
XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
}
} else {
fSecurityManager = null;
}
@ -414,7 +420,13 @@ public final class XMLSchemaFactory extends SchemaFactory {
"property-not-supported", new Object [] {name}));
}
try {
fXMLSchemaLoader.setProperty(name, object);
int index = fSecurityPropertyMgr.getIndex(name);
if (index > -1) {
fSecurityPropertyMgr.setValue(index,
XMLSecurityPropertyManager.State.APIPROPERTY, (String)object);
} else {
fXMLSchemaLoader.setProperty(name, object);
}
}
catch (XMLConfigurationException e) {
String identifier = e.getIdentifier();

28
jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java
View File

@ -42,6 +42,7 @@ import com.sun.org.apache.xerces.internal.util.PropertyState;
import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
@ -107,6 +108,10 @@ final class XMLSchemaValidatorComponentManager extends ParserConfigurationSettin
private static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
/** Property identifier: security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
/** Property identifier: symbol table. */
private static final String SYMBOL_TABLE =
Constants.XERCES_PROPERTY_PREFIX + Constants.SYMBOL_TABLE_PROPERTY;
@ -123,12 +128,6 @@ final class XMLSchemaValidatorComponentManager extends ParserConfigurationSettin
private static final String LOCALE =
Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY;
/** property identifier: access external dtd. */
private static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: access to external schema */
private static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
//
// Data
//
@ -184,6 +183,9 @@ final class XMLSchemaValidatorComponentManager extends ParserConfigurationSettin
/** Stores the initial security manager. */
private final SecurityManager fInitSecurityManager;
/** Stores the initial security property manager. */
private final XMLSecurityPropertyManager fSecurityPropertyMgr;
//
// User Objects
//
@ -250,8 +252,9 @@ final class XMLSchemaValidatorComponentManager extends ParserConfigurationSettin
fComponents.put(SECURITY_MANAGER, fInitSecurityManager);
//pass on properties set on SchemaFactory
setProperty(ACCESS_EXTERNAL_DTD, grammarContainer.getProperty(ACCESS_EXTERNAL_DTD));
setProperty(ACCESS_EXTERNAL_SCHEMA, grammarContainer.getProperty(ACCESS_EXTERNAL_SCHEMA));
fSecurityPropertyMgr = (XMLSecurityPropertyManager)
grammarContainer.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER);
setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
}
/**
@ -309,6 +312,15 @@ final class XMLSchemaValidatorComponentManager extends ParserConfigurationSettin
throw new XMLConfigurationException(Status.NOT_ALLOWED, XMLConstants.FEATURE_SECURE_PROCESSING);
}
setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
if (value && Constants.IS_JDK8_OR_ABOVE) {
fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA,
XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
}
return;
}
fConfigUpdated = true;

12
jaxp/src/com/sun/org/apache/xerces/internal/parsers/DOMParser.java
View File

@ -29,6 +29,7 @@ import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
@ -74,6 +75,10 @@ public class DOMParser
protected static final String REPORT_WHITESPACE =
Constants.SUN_SCHEMA_FEATURE_PREFIX + Constants.SUN_REPORT_IGNORED_ELEMENT_CONTENT_WHITESPACE;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
// recognized features:
private static final String[] RECOGNIZED_FEATURES = {
REPORT_WHITESPACE
@ -579,6 +584,13 @@ public class DOMParser
}
try {
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
fConfiguration.getProperty(XML_SECURITY_PROPERTY_MANAGER);
int index = spm.getIndex(propertyId);
if (index > -1) {
return spm.getValueByIndex(index);
}
return fConfiguration.getProperty(propertyId);
}
catch (XMLConfigurationException e) {

23
jaxp/src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java
View File

@ -22,8 +22,11 @@ package com.sun.org.apache.xerces.internal.parsers;
import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException;
/**
* This is the main Xerces SAX parser class. It uses the abstract SAX
@ -120,4 +123,24 @@ public class SAXParser
} // <init>(SymbolTable,XMLGrammarPool)
/**
* Sets the particular property in the underlying implementation of
* org.xml.sax.XMLReader.
*/
public void setProperty(String name, Object value)
throws SAXNotRecognizedException, SAXNotSupportedException {
XMLSecurityPropertyManager spm = new XMLSecurityPropertyManager();
int index = spm.getIndex(name);
if (index > -1) {
/**
* this is a direct call to this parser, not a subclass since
* internally the support of this property is done through
* XMLSecurityPropertyManager
*/
spm.setValue(index, XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
super.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, spm);
} else {
super.setProperty(name, value);
}
}
} // class SAXParser

24
jaxp/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java
View File

@ -20,12 +20,10 @@
package com.sun.org.apache.xerces.internal.parsers;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Locale;
import java.util.Properties;
import javax.xml.XMLConstants;
import com.sun.org.apache.xerces.internal.impl.Constants;
@ -53,9 +51,8 @@ import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
import com.sun.org.apache.xerces.internal.util.FeatureState;
import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
import com.sun.org.apache.xerces.internal.util.PropertyState;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler;
import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
@ -278,11 +275,10 @@ public class XML11Configuration extends ParserConfigurationSettings
protected static final String SCHEMA_DV_FACTORY =
Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY;
/** Property identifier: access to external dtd */
protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: Security property manager. */
private static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
/** Property identifier: access to external schema */
protected static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
// debugging
@ -535,8 +531,7 @@ public class XML11Configuration extends ParserConfigurationSettings
SCHEMA_NONS_LOCATION,
LOCALE,
SCHEMA_DV_FACTORY,
ACCESS_EXTERNAL_DTD,
ACCESS_EXTERNAL_SCHEMA
XML_SECURITY_PROPERTY_MANAGER
};
addRecognizedProperties(recognizedProperties);
@ -584,14 +579,7 @@ public class XML11Configuration extends ParserConfigurationSettings
fVersionDetector = new XMLVersionDetector();
//FEATURE_SECURE_PROCESSING is true, see the feature above
String accessExternal = SecuritySupport.getDefaultAccessProperty(
Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT);
fProperties.put(ACCESS_EXTERNAL_DTD, accessExternal);
accessExternal = SecuritySupport.getDefaultAccessProperty(
Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
fProperties.put(ACCESS_EXTERNAL_SCHEMA, accessExternal);
fProperties.put(XML_SECURITY_PROPERTY_MANAGER, new XMLSecurityPropertyManager());
// add message formatters
if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) {

16
jaxp/src/com/sun/org/apache/xerces/internal/utils/SecuritySupport.java
View File

@ -223,7 +223,8 @@ public final class SecuritySupport {
* @return the name of the protocol if rejected, null otherwise
*/
public static String checkAccess(String systemId, String allowedProtocols, String accessAny) throws IOException {
if (systemId == null || allowedProtocols.equalsIgnoreCase(accessAny)) {
if (systemId == null || (allowedProtocols != null &&
allowedProtocols.equalsIgnoreCase(accessAny))) {
return null;
}
@ -256,6 +257,9 @@ public final class SecuritySupport {
* @return true if the protocol is in the list
*/
private static boolean isProtocolAllowed(String protocol, String allowedProtocols) {
if (allowedProtocols == null) {
return false;
}
String temp[] = allowedProtocols.split(",");
for (String t : temp) {
t = t.trim();
@ -267,18 +271,16 @@ public final class SecuritySupport {
}
/**
* Read from $java.home/lib/jaxp.properties for the specified property
* Read JAXP system property in this order: system property,
* $java.home/lib/jaxp.properties if the system property is not specified
*
* @param propertyId the Id of the property
* @return the value of the property
*/
public static String getDefaultAccessProperty(String sysPropertyId, String defaultVal) {
String accessExternal = SecuritySupport.getSystemProperty(sysPropertyId);
public static String getJAXPSystemProperty(String sysPropertyId) {
String accessExternal = getSystemProperty(sysPropertyId);
if (accessExternal == null) {
accessExternal = readJAXPProperty(sysPropertyId);
if (accessExternal == null) {
accessExternal = defaultVal;
}
}
return accessExternal;
}

190
jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityPropertyManager.java Normal file
View File

@ -0,0 +1,190 @@
/*
* Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package com.sun.org.apache.xerces.internal.utils;
import com.sun.org.apache.xerces.internal.impl.Constants;
import javax.xml.XMLConstants;
/**
* This class manages security related properties
*
*/
public final class XMLSecurityPropertyManager {
/**
* States of the settings of a property, in the order: default value, value
* set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
* properties, and jaxp api properties
*/
public static enum State {
//this order reflects the overriding order
DEFAULT, FSP, JAXPDOTPROPERTIES, SYSTEMPROPERTY, APIPROPERTY
}
/**
* Limits managed by the security manager
*/
public static enum Property {
ACCESS_EXTERNAL_DTD(XMLConstants.ACCESS_EXTERNAL_DTD,
Constants.EXTERNAL_ACCESS_DEFAULT),
ACCESS_EXTERNAL_SCHEMA(XMLConstants.ACCESS_EXTERNAL_SCHEMA,
Constants.EXTERNAL_ACCESS_DEFAULT);
final String name;
final String defaultValue;
Property(String name, String value) {
this.name = name;
this.defaultValue = value;
}
public boolean equalsName(String propertyName) {
return (propertyName == null) ? false : name.equals(propertyName);
}
String defaultValue() {
return defaultValue;
}
}
/**
* Values of the properties as defined in enum Properties
*/
private final String[] values;
/**
* States of the settings for each property in Properties above
*/
private State[] states = {State.DEFAULT, State.DEFAULT};
/**
* Default constructor. Establishes default values
*/
public XMLSecurityPropertyManager() {
values = new String[Property.values().length];
for (Property property : Property.values()) {
values[property.ordinal()] = property.defaultValue();
}
//read system properties or jaxp.properties
readSystemProperties();
}
/**
* Set the value for a specific property.
*
* @param property the property
* @param state the state of the property
* @param value the value of the property
*/
public void setValue(Property property, State state, String value) {
//only update if it shall override
if (state.compareTo(states[property.ordinal()]) >= 0) {
values[property.ordinal()] = value;
states[property.ordinal()] = state;
}
}
/**
* Set the value of a property by its index
* @param index the index of the property
* @param state the state of the property
* @param value the value of the property
*/
public void setValue(int index, State state, String value) {
//only update if it shall override
if (state.compareTo(states[index]) >= 0) {
values[index] = value;
states[index] = state;
}
}
/**
* Return the value of the specified property
*
* @param property the property
* @return the value of the property
*/
public String getValue(Property property) {
return values[property.ordinal()];
}
/**
* Return the value of a property by its ordinal
* @param index the index of a property
* @return value of a property
*/
public String getValueByIndex(int index) {
return values[index];
}
/**
* Get the index by property name
* @param propertyName property name
* @return the index of the property if found; return -1 if not
*/
public int getIndex(String propertyName){
for (Property property : Property.values()) {
if (property.equalsName(propertyName)) {
//internally, ordinal is used as index
return property.ordinal();
}
}
return -1;
}
/**
* Read from system properties, or those in jaxp.properties
*/
private void readSystemProperties() {
getSystemProperty(Property.ACCESS_EXTERNAL_DTD,
Constants.SP_ACCESS_EXTERNAL_DTD);
getSystemProperty(Property.ACCESS_EXTERNAL_SCHEMA,
Constants.SP_ACCESS_EXTERNAL_SCHEMA);
}
/**
* Read from system properties, or those in jaxp.properties
*
* @param property the property
* @param systemProperty the name of the system property
*/
private void getSystemProperty(Property property, String systemProperty) {
try {
String value = SecuritySupport.getSystemProperty(systemProperty);
if (value != null) {
values[property.ordinal()] = value;
states[property.ordinal()] = State.SYSTEMPROPERTY;
return;
}
value = SecuritySupport.readJAXPProperty(systemProperty);
if (value != null) {
values[property.ordinal()] = value;
states[property.ordinal()] = State.JAXPDOTPROPERTIES;
}
} catch (NumberFormatException e) {
//invalid setting ignored
}
}
}

31
jaxp/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java
View File

@ -68,6 +68,7 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
import com.sun.org.apache.xerces.internal.xpointer.XPointerHandler;
import com.sun.org.apache.xerces.internal.xpointer.XPointerProcessor;
import com.sun.org.apache.xerces.internal.utils.ObjectFactory;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import java.util.Objects;
/**
@ -231,13 +232,9 @@ public class XIncludeHandler
protected static final String PARSER_SETTINGS =
Constants.XERCES_FEATURE_PREFIX + Constants.PARSER_SETTINGS;
/** property identifier: access external dtd. */
protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** access external dtd: file protocol
* For DOM/SAX, the secure feature is set to true by default
*/
final static String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT;
/** property identifier: XML security property manager. */
protected static final String XML_SECURITY_PROPERTY_MANAGER =
Constants.XML_SECURITY_PROPERTY_MANAGER;
/** Recognized features. */
private static final String[] RECOGNIZED_FEATURES =
@ -293,12 +290,7 @@ public class XIncludeHandler
protected XMLErrorReporter fErrorReporter;
protected XMLEntityResolver fEntityResolver;
protected SecurityManager fSecurityManager;
/**
* comma-delimited list of protocols that are allowed for the purpose
* of accessing external dtd or entity references
*/
protected String fAccessExternalDTD = EXTERNAL_ACCESS_DEFAULT;
protected XMLSecurityPropertyManager fSecurityPropertyMgr;
// these are needed for text include processing
protected XIncludeTextReader fXInclude10TextReader;
@ -540,7 +532,8 @@ public class XIncludeHandler
fSecurityManager = null;
}
fAccessExternalDTD = (String)componentManager.getProperty(ACCESS_EXTERNAL_DTD);
fSecurityPropertyMgr = (XMLSecurityPropertyManager)
componentManager.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER);
// Get buffer size.
try {
@ -687,11 +680,13 @@ public class XIncludeHandler
}
return;
}
if (propertyId.equals(ACCESS_EXTERNAL_DTD)) {
fAccessExternalDTD = (String)value;
if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER)) {
fSecurityPropertyMgr = (XMLSecurityPropertyManager)value;
if (fChildConfig != null) {
fChildConfig.setProperty(propertyId, value);
fChildConfig.setProperty(XML_SECURITY_PROPERTY_MANAGER, value);
}
return;
}
@ -1652,7 +1647,7 @@ public class XIncludeHandler
if (fErrorReporter != null) fChildConfig.setProperty(ERROR_REPORTER, fErrorReporter);
if (fEntityResolver != null) fChildConfig.setProperty(ENTITY_RESOLVER, fEntityResolver);
fChildConfig.setProperty(SECURITY_MANAGER, fSecurityManager);
fChildConfig.setProperty(ACCESS_EXTERNAL_DTD, fAccessExternalDTD);
fChildConfig.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
fChildConfig.setProperty(BUFFER_SIZE, new Integer(fBufferSize));
// features must be copied to child configuration

14
jaxp/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java
View File

@ -140,12 +140,6 @@ public class XMLReaderManager {
// Try to carry on if we've got a parser that
// doesn't know about namespace prefixes.
}
try {
reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD);
} catch (SAXException se) {
System.err.println("Warning: " + reader.getClass().getName() + ": "
+ se.getMessage());
}
} catch (ParserConfigurationException ex) {
throw new SAXException(ex);
} catch (FactoryConfigurationError ex1) {
@ -162,6 +156,14 @@ public class XMLReaderManager {
}
}
try {
//reader is cached, but this property might have been reset
reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD);
} catch (SAXException se) {
System.err.println("Warning: " + reader.getClass().getName() + ": "
+ se.getMessage());
}
return reader;
}