8306632: Add a JDK Property for specifying DTD support

Reviewed-by: lancea, smarks
This commit is contained in:
Joe Wang 2023-09-08 20:24:23 +00:00
parent a62c48b87e
commit dccf670492
71 changed files with 2225 additions and 1318 deletions

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -51,8 +51,6 @@ import org.xml.sax.ContentHandler;
import org.xml.sax.InputSource; import org.xml.sax.InputSource;
import org.xml.sax.Locator; import org.xml.sax.Locator;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException;
import org.xml.sax.XMLReader; import org.xml.sax.XMLReader;
import org.xml.sax.helpers.AttributesImpl; import org.xml.sax.helpers.AttributesImpl;
@ -62,7 +60,7 @@ import org.xml.sax.helpers.AttributesImpl;
* @author G. Todd Miller * @author G. Todd Miller
* @author Morten Jorgensen * @author Morten Jorgensen
* @author Erwin Bolwidt <ejb@klomp.org> * @author Erwin Bolwidt <ejb@klomp.org>
* @LastModified: Jan 2022 * @LastModified: July 2023
*/ */
public class Parser implements Constants, ContentHandler { public class Parser implements Constants, ContentHandler {
@ -469,64 +467,21 @@ public class Parser implements Constants, ContentHandler {
* @return The root of the abstract syntax tree * @return The root of the abstract syntax tree
*/ */
public SyntaxTreeNode parse(InputSource input) { public SyntaxTreeNode parse(InputSource input) {
try { final XMLReader reader = JdkXmlUtils.getXMLReader(
final XMLReader reader = JdkXmlUtils.getXMLReader(_overrideDefaultParser, (XMLSecurityManager)_xsltc.getProperty(JdkConstants.SECURITY_MANAGER),
_xsltc.isSecureProcessing()); _overrideDefaultParser,
_xsltc.isSecureProcessing(),
_xsltc.getFeature(JdkXmlFeatures.XmlFeature.USE_CATALOG),
(CatalogFeatures)_xsltc.getProperty(JdkXmlFeatures.CATALOG_FEATURES));
JdkXmlUtils.setXMLReaderPropertyIfSupport(reader, XMLConstants.ACCESS_EXTERNAL_DTD, JdkXmlUtils.setXMLReaderPropertyIfSupport(reader, XMLConstants.ACCESS_EXTERNAL_DTD,
_xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD), true); _xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD), true);
// try setting other JDK-impl properties, ignore if not supported
JdkXmlUtils.setXMLReaderPropertyIfSupport(reader, JdkConstants.CDATA_CHUNK_SIZE,
_xsltc.getProperty(JdkConstants.CDATA_CHUNK_SIZE), false);
boolean supportCatalog = true; return(parse(reader, input));
boolean useCatalog = _xsltc.getFeature(JdkXmlFeatures.XmlFeature.USE_CATALOG);
try {
reader.setFeature(JdkXmlUtils.USE_CATALOG, useCatalog);
}
catch (SAXNotRecognizedException | SAXNotSupportedException e) {
supportCatalog = false;
}
if (supportCatalog && useCatalog) {
try {
CatalogFeatures cf = (CatalogFeatures)_xsltc.getProperty(JdkXmlFeatures.CATALOG_FEATURES);
if (cf != null) {
for (CatalogFeatures.Feature f : CatalogFeatures.Feature.values()) {
reader.setProperty(f.getPropertyName(), cf.get(f));
}
}
} catch (SAXNotRecognizedException e) {
//shall not happen for internal settings
}
}
String lastProperty = "";
try {
XMLSecurityManager securityManager =
(XMLSecurityManager)_xsltc.getProperty(JdkConstants.SECURITY_MANAGER);
for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) {
if (limit.isSupported(XMLSecurityManager.Processor.PARSER)) {
lastProperty = limit.apiProperty();
reader.setProperty(lastProperty, securityManager.getLimitValueAsString(limit));
}
}
if (securityManager.printEntityCountInfo()) {
lastProperty = JdkConstants.JDK_DEBUG_LIMIT;
reader.setProperty(lastProperty, JdkConstants.JDK_YES);
}
} catch (SAXException se) {
XMLSecurityManager.printWarning(reader.getClass().getName(), lastProperty, se);
}
// try setting other JDK-impl properties, ignore if not supported
JdkXmlUtils.setXMLReaderPropertyIfSupport(reader, JdkConstants.CDATA_CHUNK_SIZE,
_xsltc.getProperty(JdkConstants.CDATA_CHUNK_SIZE), false);
return(parse(reader, input));
}
catch (SAXException e) {
reportError(ERROR, new ErrorMsg(e.getMessage()));
}
return null;
} }
public SyntaxTreeNode getDocumentRoot() { public SyntaxTreeNode getDocumentRoot() {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2011, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -42,6 +42,8 @@ import org.xml.sax.helpers.XMLFilterImpl;
* skeleton extension of XMLFilterImpl for now. * skeleton extension of XMLFilterImpl for now.
* @author Santiago Pericas-Geertsen * @author Santiago Pericas-Geertsen
* @author G. Todd Miller * @author G. Todd Miller
*
* @LastModified: July 2023
*/ */
@SuppressWarnings("deprecation") //org.xml.sax.helpers.XMLReaderFactory @SuppressWarnings("deprecation") //org.xml.sax.helpers.XMLReaderFactory
public class TrAXFilter extends XMLFilterImpl { public class TrAXFilter extends XMLFilterImpl {
@ -64,8 +66,11 @@ public class TrAXFilter extends XMLFilterImpl {
} }
private void createParent() throws SAXException { private void createParent() throws SAXException {
XMLReader parent = JdkXmlUtils.getXMLReader(_overrideDefaultParser, XMLReader parent = JdkXmlUtils.getXMLReader(_transformer._securityManager,
_transformer.isSecureProcessing()); _overrideDefaultParser,
_transformer.isSecureProcessing(),
_transformer._useCatalog,
_transformer._catalogFeatures);
// make this XMLReader the parent of this filter // make this XMLReader the parent of this filter
setParent(parent); setParent(parent);

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2007, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -20,8 +20,6 @@
package com.sun.org.apache.xalan.internal.xsltc.trax; package com.sun.org.apache.xalan.internal.xsltc.trax;
import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.XMLSecurityManager;
import com.sun.org.apache.xalan.internal.utils.FeaturePropertyBase; import com.sun.org.apache.xalan.internal.utils.FeaturePropertyBase;
import com.sun.org.apache.xalan.internal.utils.ObjectFactory; import com.sun.org.apache.xalan.internal.utils.ObjectFactory;
import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.Property; import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.Property;
@ -71,6 +69,7 @@ import javax.xml.transform.sax.TransformerHandler;
import javax.xml.transform.stax.*; import javax.xml.transform.stax.*;
import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource; import javax.xml.transform.stream.StreamSource;
import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkProperty; import jdk.xml.internal.JdkProperty;
import jdk.xml.internal.JdkXmlFeatures; import jdk.xml.internal.JdkXmlFeatures;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
@ -78,6 +77,7 @@ import jdk.xml.internal.JdkProperty.ImplPropMap;
import jdk.xml.internal.JdkProperty.State; import jdk.xml.internal.JdkProperty.State;
import jdk.xml.internal.SecuritySupport; import jdk.xml.internal.SecuritySupport;
import jdk.xml.internal.TransformErrorListener; import jdk.xml.internal.TransformErrorListener;
import jdk.xml.internal.XMLSecurityManager;
import org.xml.sax.InputSource; import org.xml.sax.InputSource;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
import org.xml.sax.XMLFilter; import org.xml.sax.XMLFilter;
@ -88,7 +88,7 @@ import org.xml.sax.XMLReader;
* @author G. Todd Miller * @author G. Todd Miller
* @author Morten Jorgensen * @author Morten Jorgensen
* @author Santiago Pericas-Geertsen * @author Santiago Pericas-Geertsen
* @LastModified: Jan 2022 * @LastModified: July 2023
*/ */
public class TransformerFactoryImpl public class TransformerFactoryImpl
extends SAXTransformerFactory implements SourceLoader extends SAXTransformerFactory implements SourceLoader
@ -503,19 +503,19 @@ public class TransformerFactoryImpl
} }
} else if (JdkXmlUtils.CATALOG_FILES.equals(name)) { } else if (JdkXmlUtils.CATALOG_FILES.equals(name)) {
_catalogFiles = (String) value; _catalogFiles = (String) value;
cfBuilder = CatalogFeatures.builder().with(Feature.FILES, _catalogFiles); cfBuilder = cfBuilder.with(Feature.FILES, _catalogFiles);
return; return;
} else if (JdkXmlUtils.CATALOG_DEFER.equals(name)) { } else if (JdkXmlUtils.CATALOG_DEFER.equals(name)) {
_catalogDefer = (String) value; _catalogDefer = (String) value;
cfBuilder = CatalogFeatures.builder().with(Feature.DEFER, _catalogDefer); cfBuilder = cfBuilder.with(Feature.DEFER, _catalogDefer);
return; return;
} else if (JdkXmlUtils.CATALOG_PREFER.equals(name)) { } else if (JdkXmlUtils.CATALOG_PREFER.equals(name)) {
_catalogPrefer = (String) value; _catalogPrefer = (String) value;
cfBuilder = CatalogFeatures.builder().with(Feature.PREFER, _catalogPrefer); cfBuilder = cfBuilder.with(Feature.PREFER, _catalogPrefer);
return; return;
} else if (JdkXmlUtils.CATALOG_RESOLVE.equals(name)) { } else if (JdkXmlUtils.CATALOG_RESOLVE.equals(name)) {
_catalogResolve = (String) value; _catalogResolve = (String) value;
cfBuilder = CatalogFeatures.builder().with(Feature.RESOLVE, _catalogResolve); cfBuilder = cfBuilder.with(Feature.RESOLVE, _catalogResolve);
return; return;
} else if (ImplPropMap.CDATACHUNKSIZE.is(name)) { } else if (ImplPropMap.CDATACHUNKSIZE.is(name)) {
_cdataChunkSize = JdkXmlUtils.getValue(value, _cdataChunkSize); _cdataChunkSize = JdkXmlUtils.getValue(value, _cdataChunkSize);
@ -765,8 +765,11 @@ public class TransformerFactoryImpl
baseId = isource.getSystemId(); baseId = isource.getSystemId();
if (reader == null) { if (reader == null) {
reader = JdkXmlUtils.getXMLReader(_overrideDefaultParser, reader = JdkXmlUtils.getXMLReader(_xmlSecurityManager,
!_isNotSecureProcessing); _overrideDefaultParser,
!_isNotSecureProcessing,
_xmlFeatures.getFeature(JdkXmlFeatures.XmlFeature.USE_CATALOG),
_catalogFeatures);
} }
_stylesheetPIHandler.setBaseId(baseId); _stylesheetPIHandler.setBaseId(baseId);

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2007, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -82,7 +82,6 @@ import javax.xml.transform.stax.StAXSource;
import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource; import javax.xml.transform.stream.StreamSource;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import static jdk.xml.internal.JdkConstants.SP_XSLTC_IS_STANDALONE;
import jdk.xml.internal.JdkProperty; import jdk.xml.internal.JdkProperty;
import jdk.xml.internal.JdkXmlFeatures; import jdk.xml.internal.JdkXmlFeatures;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
@ -101,7 +100,7 @@ import org.xml.sax.ext.LexicalHandler;
* @author Morten Jorgensen * @author Morten Jorgensen
* @author G. Todd Miller * @author G. Todd Miller
* @author Santiago Pericas-Geertsen * @author Santiago Pericas-Geertsen
* @LastModified: Jan 2022 * @LastModified: July 2023
*/ */
public final class TransformerImpl extends Transformer public final class TransformerImpl extends Transformer
implements DOMCache implements DOMCache
@ -219,7 +218,7 @@ public final class TransformerImpl extends Transformer
*/ */
private String _accessExternalDTD = JdkConstants.EXTERNAL_ACCESS_DEFAULT; private String _accessExternalDTD = JdkConstants.EXTERNAL_ACCESS_DEFAULT;
private XMLSecurityManager _securityManager; protected XMLSecurityManager _securityManager;
/** /**
* A map to store parameters for the identity transform. These * A map to store parameters for the identity transform. These
* are not needed during the transformation, but we must keep track of * are not needed during the transformation, but we must keep track of
@ -307,7 +306,7 @@ public final class TransformerImpl extends Transformer
_useCatalog = _tfactory.getFeature(XMLConstants.USE_CATALOG); _useCatalog = _tfactory.getFeature(XMLConstants.USE_CATALOG);
if (_useCatalog) { if (_useCatalog) {
_catalogFeatures = (CatalogFeatures)_tfactory.getAttribute(JdkXmlFeatures.CATALOG_FEATURES); _catalogFeatures = (CatalogFeatures)_tfactory.getAttribute(JdkXmlFeatures.CATALOG_FEATURES);
String catalogFiles = _catalogFeatures.get(CatalogFeatures.Feature.DEFER); String catalogFiles = _catalogFeatures.get(CatalogFeatures.Feature.FILES);
if (catalogFiles != null) { if (catalogFiles != null) {
_readerManager.setFeature(XMLConstants.USE_CATALOG, _useCatalog); _readerManager.setFeature(XMLConstants.USE_CATALOG, _useCatalog);
_readerManager.setProperty(JdkXmlFeatures.CATALOG_FEATURES, _catalogFeatures); _readerManager.setProperty(JdkXmlFeatures.CATALOG_FEATURES, _catalogFeatures);

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2016, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -41,7 +41,6 @@ import jdk.xml.internal.JdkXmlUtils;
import jdk.xml.internal.XMLSecurityManager; import jdk.xml.internal.XMLSecurityManager;
import org.w3c.dom.Document; import org.w3c.dom.Document;
import org.xml.sax.InputSource; import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.SAXNotRecognizedException; import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException; import org.xml.sax.SAXNotSupportedException;
import org.xml.sax.XMLReader; import org.xml.sax.XMLReader;
@ -51,7 +50,7 @@ import org.xml.sax.XMLReader;
* *
* Added Catalog Support for URI resolution * Added Catalog Support for URI resolution
* *
* @LastModified: Jan 2022 * @LastModified: July 2023
*/ */
@SuppressWarnings("deprecation") //org.xml.sax.helpers.XMLReaderFactory @SuppressWarnings("deprecation") //org.xml.sax.helpers.XMLReaderFactory
public final class Util { public final class Util {
@ -91,8 +90,12 @@ public final class Util {
if (reader == null) { if (reader == null) {
boolean overrideDefaultParser = xsltc.getFeature( boolean overrideDefaultParser = xsltc.getFeature(
JdkXmlFeatures.XmlFeature.JDK_OVERRIDE_PARSER); JdkXmlFeatures.XmlFeature.JDK_OVERRIDE_PARSER);
reader = JdkXmlUtils.getXMLReader(overrideDefaultParser, reader = JdkXmlUtils.getXMLReader(
xsltc.isSecureProcessing()); (XMLSecurityManager)xsltc.getProperty(JdkConstants.SECURITY_MANAGER),
overrideDefaultParser,
xsltc.isSecureProcessing(),
xsltc.getFeature(JdkXmlFeatures.XmlFeature.USE_CATALOG),
(CatalogFeatures)xsltc.getProperty(JdkXmlFeatures.CATALOG_FEATURES));
} else { } else {
// compatibility for legacy applications // compatibility for legacy applications
reader.setFeature reader.setFeature
@ -107,27 +110,6 @@ public final class Util {
JdkXmlUtils.setXMLReaderPropertyIfSupport(reader, JdkConstants.CDATA_CHUNK_SIZE, JdkXmlUtils.setXMLReaderPropertyIfSupport(reader, JdkConstants.CDATA_CHUNK_SIZE,
xsltc.getProperty(JdkConstants.CDATA_CHUNK_SIZE), false); xsltc.getProperty(JdkConstants.CDATA_CHUNK_SIZE), false);
String lastProperty = "";
try {
XMLSecurityManager securityManager =
(XMLSecurityManager)xsltc.getProperty(JdkConstants.SECURITY_MANAGER);
if (securityManager != null) {
for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) {
if (limit.isSupported(XMLSecurityManager.Processor.PARSER)) {
lastProperty = limit.apiProperty();
reader.setProperty(lastProperty,
securityManager.getLimitValueAsString(limit));
}
}
if (securityManager.printEntityCountInfo()) {
lastProperty = JdkConstants.JDK_DEBUG_LIMIT;
reader.setProperty(lastProperty, JdkConstants.JDK_YES);
}
}
} catch (SAXException se) {
XMLSecurityManager.printWarning(reader.getClass().getName(), lastProperty, se);
}
boolean supportCatalog = true; boolean supportCatalog = true;
boolean useCatalog = xsltc.getFeature(JdkXmlFeatures.XmlFeature.USE_CATALOG); boolean useCatalog = xsltc.getFeature(JdkXmlFeatures.XmlFeature.USE_CATALOG);
try { try {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -32,7 +32,6 @@ import com.sun.org.apache.xerces.internal.util.MessageFormatter;
import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings; import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
import com.sun.org.apache.xerces.internal.util.PropertyState; import com.sun.org.apache.xerces.internal.util.PropertyState;
import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler; import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler;
import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler; import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler;
@ -56,6 +55,7 @@ import javax.xml.XMLConstants;
import javax.xml.catalog.CatalogFeatures; import javax.xml.catalog.CatalogFeatures;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
import jdk.xml.internal.XMLSecurityManager;
import org.w3c.dom.DOMConfiguration; import org.w3c.dom.DOMConfiguration;
import org.w3c.dom.DOMErrorHandler; import org.w3c.dom.DOMErrorHandler;
import org.w3c.dom.DOMException; import org.w3c.dom.DOMException;
@ -71,7 +71,7 @@ import org.w3c.dom.ls.LSResourceResolver;
* *
* @author Elena Litani, IBM * @author Elena Litani, IBM
* @author Neeraj Bajaj, Sun Microsystems. * @author Neeraj Bajaj, Sun Microsystems.
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
public class DOMConfigurationImpl extends ParserConfigurationSettings public class DOMConfigurationImpl extends ParserConfigurationSettings
implements XMLParserConfiguration, DOMConfiguration { implements XMLParserConfiguration, DOMConfiguration {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -24,7 +24,6 @@
*/ */
package com.sun.org.apache.xerces.internal.impl; package com.sun.org.apache.xerces.internal.impl;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.xml.internal.stream.StaxEntityResolverWrapper; import com.sun.xml.internal.stream.StaxEntityResolverWrapper;
import java.util.HashMap; import java.util.HashMap;
@ -36,6 +35,7 @@ import javax.xml.stream.XMLResolver;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkProperty; import jdk.xml.internal.JdkProperty;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
import jdk.xml.internal.XMLSecurityManager;
/** /**
* This class manages the properties for the Stax specification and its * This class manages the properties for the Stax specification and its
@ -45,6 +45,8 @@ import jdk.xml.internal.JdkXmlUtils;
* @author Neeraj Bajaj * @author Neeraj Bajaj
* @author K Venugopal * @author K Venugopal
* @author Sunitha Reddy * @author Sunitha Reddy
*
* @LastModified: July 2023
*/ */
public class PropertyManager { public class PropertyManager {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
@ -27,10 +27,10 @@ import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
import com.sun.org.apache.xerces.internal.util.XML11Char; import com.sun.org.apache.xerces.internal.util.XML11Char;
import com.sun.org.apache.xerces.internal.util.XMLChar; import com.sun.org.apache.xerces.internal.util.XMLChar;
import com.sun.org.apache.xerces.internal.util.XMLStringBuffer; import com.sun.org.apache.xerces.internal.util.XMLStringBuffer;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit;
import com.sun.org.apache.xerces.internal.xni.QName; import com.sun.org.apache.xerces.internal.xni.QName;
import com.sun.org.apache.xerces.internal.xni.XMLString; import com.sun.org.apache.xerces.internal.xni.XMLString;
import java.io.IOException; import java.io.IOException;
import jdk.xml.internal.XMLSecurityManager.Limit;
/** /**
* Implements the entity scanner methods in * Implements the entity scanner methods in
@ -41,7 +41,7 @@ import java.io.IOException;
* @author Michael Glavassevich, IBM * @author Michael Glavassevich, IBM
* @author Neil Graham, IBM * @author Neil Graham, IBM
* *
* @LastModified: Aug 2021 * @LastModified: July 2023
*/ */
public class XML11EntityScanner public class XML11EntityScanner

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -27,7 +27,6 @@ import com.sun.org.apache.xerces.internal.impl.dtd.XMLDTDValidatorFilter;
import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter; import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl; import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
import com.sun.org.apache.xerces.internal.util.XMLSymbols; import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext; import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.QName; import com.sun.org.apache.xerces.internal.xni.QName;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler; import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
@ -36,6 +35,7 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException; import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
import com.sun.org.apache.xerces.internal.xni.parser.XMLDocumentSource; import com.sun.org.apache.xerces.internal.xni.parser.XMLDocumentSource;
import javax.xml.stream.events.XMLEvent; import javax.xml.stream.events.XMLEvent;
import jdk.xml.internal.XMLSecurityManager;
/** /**
@ -70,7 +70,7 @@ import javax.xml.stream.events.XMLEvent;
* @author Michael Glavassevich, IBM * @author Michael Glavassevich, IBM
* @author Sunitha Reddy, Sun Microsystems * @author Sunitha Reddy, Sun Microsystems
* *
* @LastModified: Nov 2022 * @LastModified: July 2023
*/ */
public class XML11NSDocumentScannerImpl extends XML11DocumentScannerImpl { public class XML11NSDocumentScannerImpl extends XML11DocumentScannerImpl {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -25,8 +25,6 @@ import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl; import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
import com.sun.org.apache.xerces.internal.util.XMLChar; import com.sun.org.apache.xerces.internal.util.XMLChar;
import com.sun.org.apache.xerces.internal.util.XMLStringBuffer; import com.sun.org.apache.xerces.internal.util.XMLStringBuffer;
import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler; import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler;
import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler; import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler;
import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier; import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
@ -41,6 +39,8 @@ import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.xml.internal.stream.dtd.nonvalidating.DTDGrammar; import com.sun.xml.internal.stream.dtd.nonvalidating.DTDGrammar;
import java.io.EOFException; import java.io.EOFException;
import java.io.IOException; import java.io.IOException;
import jdk.xml.internal.XMLLimitAnalyzer;
import jdk.xml.internal.XMLSecurityManager;
/** /**
* This class is responsible for scanning the declarations found * This class is responsible for scanning the declarations found
@ -63,7 +63,7 @@ import java.io.IOException;
* @author Glenn Marcy, IBM * @author Glenn Marcy, IBM
* @author Eric Ye, IBM * @author Eric Ye, IBM
* *
* @LastModified: Feb 2020 * @LastModified: July 2023
*/ */
public class XMLDTDScannerImpl public class XMLDTDScannerImpl
extends XMLScanner extends XMLScanner
@ -388,6 +388,7 @@ implements XMLDTDScanner, XMLComponent, XMLEntityHandler {
return false; return false;
fStringBuffer.clear(); fStringBuffer.clear();
fEntityScanner = fEntityManager.getEntityScanner();
while (fEntityScanner.scanData("]", fStringBuffer, 0)) { while (fEntityScanner.scanData("]", fStringBuffer, 0)) {
int c = fEntityScanner.peekChar(); int c = fEntityScanner.peekChar();
if (c != -1) { if (c != -1) {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
@ -28,8 +28,6 @@ import com.sun.org.apache.xerces.internal.util.XMLAttributesIteratorImpl;
import com.sun.org.apache.xerces.internal.util.XMLChar; import com.sun.org.apache.xerces.internal.util.XMLChar;
import com.sun.org.apache.xerces.internal.util.XMLStringBuffer; import com.sun.org.apache.xerces.internal.util.XMLStringBuffer;
import com.sun.org.apache.xerces.internal.util.XMLSymbols; import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations; import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.QName; import com.sun.org.apache.xerces.internal.xni.QName;
@ -56,6 +54,8 @@ import javax.xml.stream.events.XMLEvent;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
import jdk.xml.internal.SecuritySupport; import jdk.xml.internal.SecuritySupport;
import jdk.xml.internal.XMLSecurityManager;
import jdk.xml.internal.XMLSecurityManager.Limit;
/** /**
* *
@ -74,7 +74,7 @@ import jdk.xml.internal.SecuritySupport;
* @author Eric Ye, IBM * @author Eric Ye, IBM
* @author Sunitha Reddy, SUN Microsystems * @author Sunitha Reddy, SUN Microsystems
* *
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
public class XMLDocumentFragmentScannerImpl public class XMLDocumentFragmentScannerImpl
extends XMLScanner extends XMLScanner
@ -326,6 +326,8 @@ public class XMLDocumentFragmentScannerImpl
protected String fDeclaredEncoding = null; protected String fDeclaredEncoding = null;
/** Xerces Feature: Disallow doctype declaration. */ /** Xerces Feature: Disallow doctype declaration. */
protected boolean fDisallowDoctype = false; protected boolean fDisallowDoctype = false;
// DTD Error Code
protected String fDTDErrorCode = null;
/** Create entity reference nodes. */ /** Create entity reference nodes. */
protected boolean fCreateEntityRefNodes = false; protected boolean fCreateEntityRefNodes = false;
@ -792,7 +794,7 @@ public class XMLDocumentFragmentScannerImpl
} }
// Xerces properties // Xerces properties
if (propertyId.startsWith(Constants.XERCES_PROPERTY_PREFIX)) { if (propertyId.startsWith(Constants.XERCES_PROPERTY_PREFIX)) {
String property = propertyId.substring(Constants.XERCES_PROPERTY_PREFIX.length()); String property = propertyId.substring(Constants.XERCES_PROPERTY_PREFIX.length());
if (property.equals(Constants.ENTITY_MANAGER_PROPERTY)) { if (property.equals(Constants.ENTITY_MANAGER_PROPERTY)) {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
@ -43,9 +43,11 @@ import com.sun.xml.internal.stream.dtd.DTDGrammarUtil;
import java.io.CharConversionException; import java.io.CharConversionException;
import java.io.EOFException; import java.io.EOFException;
import java.io.IOException; import java.io.IOException;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.events.XMLEvent; import javax.xml.stream.events.XMLEvent;
import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkProperty.State;
import jdk.xml.internal.SecuritySupport; import jdk.xml.internal.SecuritySupport;
import jdk.xml.internal.XMLSecurityManager.Limit;
/** /**
@ -67,7 +69,7 @@ import jdk.xml.internal.SecuritySupport;
* Refer to the table in unit-test javax.xml.stream.XMLStreamReaderTest.SupportDTD for changes * Refer to the table in unit-test javax.xml.stream.XMLStreamReaderTest.SupportDTD for changes
* related to property SupportDTD. * related to property SupportDTD.
* @author Joe Wang, Sun Microsystems * @author Joe Wang, Sun Microsystems
* @LastModified: Sep 2017 * @LastModified: July 2023
*/ */
public class XMLDocumentScannerImpl public class XMLDocumentScannerImpl
extends XMLDocumentFragmentScannerImpl{ extends XMLDocumentFragmentScannerImpl{
@ -258,16 +260,11 @@ public class XMLDocumentScannerImpl
setScannerState(XMLEvent.START_DOCUMENT); setScannerState(XMLEvent.START_DOCUMENT);
} // setInputSource(XMLInputSource) } // setInputSource(XMLInputSource)
/**return the state of the scanner */ /**return the state of the scanner */
public int getScannetState(){ public int getScannetState(){
return fScannerState ; return fScannerState ;
} }
public void reset(PropertyManager propertyManager) { public void reset(PropertyManager propertyManager) {
super.reset(propertyManager); super.reset(propertyManager);
// other settings // other settings
@ -276,10 +273,14 @@ public class XMLDocumentScannerImpl
fDoctypeSystemId = null; fDoctypeSystemId = null;
fSeenDoctypeDecl = false; fSeenDoctypeDecl = false;
fNamespaceContext.reset(); fNamespaceContext.reset();
fSupportDTD = ((Boolean)propertyManager.getProperty(XMLInputFactory.SUPPORT_DTD)).booleanValue();
// Check the DTD setting
checkDTDSetting();
// xerces features // xerces features
fLoadExternalDTD = !((Boolean)propertyManager.getProperty(Constants.ZEPHYR_PROPERTY_PREFIX + Constants.IGNORE_EXTERNAL_DTD)).booleanValue(); fLoadExternalDTD = !((Boolean)propertyManager.getProperty(
Constants.ZEPHYR_PROPERTY_PREFIX + Constants.IGNORE_EXTERNAL_DTD));
setScannerState(XMLEvent.START_DOCUMENT); setScannerState(XMLEvent.START_DOCUMENT);
setDriver(fXMLDeclDriver); setDriver(fXMLDeclDriver);
fSeenInternalSubset = false; fSeenInternalSubset = false;
@ -320,9 +321,11 @@ public class XMLDocumentScannerImpl
fSeenDoctypeDecl = false; fSeenDoctypeDecl = false;
fExternalSubsetSource = null; fExternalSubsetSource = null;
// Check the DTD setting
checkDTDSetting();
// xerces features // xerces features
fLoadExternalDTD = componentManager.getFeature(LOAD_EXTERNAL_DTD, true); fLoadExternalDTD = componentManager.getFeature(LOAD_EXTERNAL_DTD, true);
fDisallowDoctype = componentManager.getFeature(DISALLOW_DOCTYPE_DECL_FEATURE, false);
fNamespaces = componentManager.getFeature(NAMESPACES, true); fNamespaces = componentManager.getFeature(NAMESPACES, true);
@ -355,6 +358,26 @@ public class XMLDocumentScannerImpl
} // reset(XMLComponentManager) } // reset(XMLComponentManager)
/**
* Checks the DTD settings. Uses the JDK property {@code jdk.xml.dtd.support}
* in all cases except:
* if the Xerces property is set
* if the StAX property is set
*/
private void checkDTDSetting() {
fDisallowDoctype = fSecurityManager.is(Limit.DTD, JdkConstants.DENY);
fSupportDTD = !fSecurityManager.is(Limit.DTD, JdkConstants.IGNORE);
fDTDErrorCode = "JDK_DTD_DENY";
if (fSecurityManager.getState(Limit.XERCES_DISALLOW_DTD) == State.APIPROPERTY
|| fSecurityManager.getState(Limit.XERCES_DISALLOW_DTD) == State.LEGACY_APIPROPERTY) {
fDisallowDoctype = fSecurityManager.is(Limit.XERCES_DISALLOW_DTD);
fDTDErrorCode = "DoctypeNotAllowed";
} else if (fSecurityManager.getState(Limit.STAX_SUPPORT_DTD) == State.APIPROPERTY
|| fSecurityManager.getState(Limit.STAX_SUPPORT_DTD) == State.LEGACY_APIPROPERTY) {
fSupportDTD = fSecurityManager.is(Limit.STAX_SUPPORT_DTD);
}
}
/** /**
* Returns a list of feature identifiers that are recognized by * Returns a list of feature identifiers that are recognized by
@ -895,7 +918,7 @@ public class XMLDocumentScannerImpl
case SCANNER_STATE_DOCTYPE: { case SCANNER_STATE_DOCTYPE: {
if (fDisallowDoctype) { if (fDisallowDoctype) {
reportFatalError("DoctypeNotAllowed", null); reportFatalError(fDTDErrorCode, null);
} }
if (fSeenDoctypeDecl) { if (fSeenDoctypeDecl) {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2009, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2009, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -28,8 +28,6 @@ import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager; import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager;
import com.sun.org.apache.xerces.internal.util.*; import com.sun.org.apache.xerces.internal.util.*;
import com.sun.org.apache.xerces.internal.util.URI; import com.sun.org.apache.xerces.internal.util.URI;
import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations; import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier; import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
@ -59,8 +57,12 @@ import javax.xml.catalog.CatalogResolver;
import javax.xml.stream.XMLInputFactory; import javax.xml.stream.XMLInputFactory;
import javax.xml.transform.Source; import javax.xml.transform.Source;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkProperty;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
import jdk.xml.internal.SecuritySupport; import jdk.xml.internal.SecuritySupport;
import jdk.xml.internal.XMLLimitAnalyzer;
import jdk.xml.internal.XMLSecurityManager;
import jdk.xml.internal.XMLSecurityManager.Limit;
import org.xml.sax.InputSource; import org.xml.sax.InputSource;
@ -91,7 +93,7 @@ import org.xml.sax.InputSource;
* @author K.Venugopal SUN Microsystems * @author K.Venugopal SUN Microsystems
* @author Neeraj Bajaj SUN Microsystems * @author Neeraj Bajaj SUN Microsystems
* @author Sunitha Reddy SUN Microsystems * @author Sunitha Reddy SUN Microsystems
* @LastModified: Aug 2021 * @LastModified: July 2023
*/ */
public class XMLEntityManager implements XMLComponent, XMLEntityResolver { public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
@ -1544,7 +1546,6 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
fStaxEntityResolver = null; fStaxEntityResolver = null;
} }
fSupportDTD = ((Boolean)propertyManager.getProperty(XMLInputFactory.SUPPORT_DTD));
fReplaceEntityReferences = ((Boolean)propertyManager.getProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES)); fReplaceEntityReferences = ((Boolean)propertyManager.getProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES));
fSupportExternalEntities = ((Boolean)propertyManager.getProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES)); fSupportExternalEntities = ((Boolean)propertyManager.getProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES));
@ -1563,6 +1564,7 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD); fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
fSecurityManager = (XMLSecurityManager)propertyManager.getProperty(SECURITY_MANAGER); fSecurityManager = (XMLSecurityManager)propertyManager.getProperty(SECURITY_MANAGER);
checkSupportDTD();
fLimitAnalyzer = new XMLLimitAnalyzer(); fLimitAnalyzer = new XMLLimitAnalyzer();
//reset fEntityStorage //reset fEntityStorage
@ -1633,7 +1635,7 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
entityExpansionIndex = fSecurityManager.getIndex(JdkConstants.SP_ENTITY_EXPANSION_LIMIT); entityExpansionIndex = fSecurityManager.getIndex(JdkConstants.SP_ENTITY_EXPANSION_LIMIT);
//StAX Property //StAX Property
fSupportDTD = true; checkSupportDTD();
fReplaceEntityReferences = true; fReplaceEntityReferences = true;
fSupportExternalEntities = true; fSupportExternalEntities = true;
@ -1659,6 +1661,20 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
} // reset(XMLComponentManager) } // reset(XMLComponentManager)
/**
* Checks the supportDTD setting. Use the StAX supportDTD property if it is
* set, otherwise the jdk.xml.dtd.support. Refer to the module-summary for
* more details.
*/
private void checkSupportDTD() {
// SupportDTD set the DTD property, so no longer read from propertyManager
fSupportDTD = !fSecurityManager.is(Limit.DTD, JdkConstants.IGNORE);
if (fSecurityManager.getState(Limit.STAX_SUPPORT_DTD) == JdkProperty.State.APIPROPERTY
|| fSecurityManager.getState(Limit.STAX_SUPPORT_DTD) == JdkProperty.State.LEGACY_APIPROPERTY) {
fSupportDTD = fSecurityManager.is(Limit.STAX_SUPPORT_DTD);
}
}
// reset general state. Should not be called other than by // reset general state. Should not be called other than by
// a class acting as a component manager but not // a class acting as a component manager but not
// implementing that interface for whatever reason. // implementing that interface for whatever reason.

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
@ -32,9 +32,6 @@ import com.sun.org.apache.xerces.internal.util.EncodingMap;
import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.XMLChar; import com.sun.org.apache.xerces.internal.util.XMLChar;
import com.sun.org.apache.xerces.internal.util.XMLStringBuffer; import com.sun.org.apache.xerces.internal.util.XMLStringBuffer;
import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit;
import com.sun.org.apache.xerces.internal.xni.*; import com.sun.org.apache.xerces.internal.xni.*;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager; import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException; import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
@ -48,6 +45,9 @@ import java.io.InputStreamReader;
import java.io.Reader; import java.io.Reader;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Locale; import java.util.Locale;
import jdk.xml.internal.XMLLimitAnalyzer;
import jdk.xml.internal.XMLSecurityManager;
import jdk.xml.internal.XMLSecurityManager.Limit;
/** /**
* Implements the entity scanner methods. * Implements the entity scanner methods.
@ -57,7 +57,7 @@ import java.util.Locale;
* @author Arnaud Le Hors, IBM * @author Arnaud Le Hors, IBM
* @author K.Venugopal Sun Microsystems * @author K.Venugopal Sun Microsystems
* *
* @LastModified: Mar 2022 * @LastModified: July 2023
*/ */
public class XMLEntityScanner implements XMLLocator { public class XMLEntityScanner implements XMLLocator {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -34,9 +34,8 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException; import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler; import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
import com.sun.org.apache.xerces.internal.xni.parser.XMLDocumentSource; import com.sun.org.apache.xerces.internal.xni.parser.XMLDocumentSource;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import javax.xml.stream.events.XMLEvent; import javax.xml.stream.events.XMLEvent;
import jdk.xml.internal.XMLSecurityManager;
/** /**
* This class adds the functionality of namespace processing. * This class adds the functionality of namespace processing.
@ -55,7 +54,7 @@ import javax.xml.stream.events.XMLEvent;
* @author Venugopal Rao K, Sun Microsystems * @author Venugopal Rao K, Sun Microsystems
* @author Elena Litani, IBM * @author Elena Litani, IBM
* *
* @LastModified: Nov 2022 * @LastModified: July 2023
*/ */
public class XMLNSDocumentScannerImpl public class XMLNSDocumentScannerImpl
extends XMLDocumentScannerImpl { extends XMLDocumentScannerImpl {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -30,8 +30,6 @@ import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.XMLChar; import com.sun.org.apache.xerces.internal.util.XMLChar;
import com.sun.org.apache.xerces.internal.util.XMLResourceIdentifierImpl; import com.sun.org.apache.xerces.internal.util.XMLResourceIdentifierImpl;
import com.sun.org.apache.xerces.internal.util.XMLStringBuffer; import com.sun.org.apache.xerces.internal.util.XMLStringBuffer;
import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations; import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.XMLAttributes; import com.sun.org.apache.xerces.internal.xni.XMLAttributes;
import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier; import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
@ -41,6 +39,8 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager; import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException; import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
import com.sun.xml.internal.stream.Entity; import com.sun.xml.internal.stream.Entity;
import jdk.xml.internal.XMLLimitAnalyzer;
import jdk.xml.internal.XMLSecurityManager;
//import com.sun.xml.stream.XMLEntityManager; //import com.sun.xml.stream.XMLEntityManager;
//import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter; //import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
@ -67,7 +67,7 @@ import com.sun.xml.internal.stream.Entity;
* @author Eric Ye, IBM * @author Eric Ye, IBM
* @author K.Venugopal SUN Microsystems * @author K.Venugopal SUN Microsystems
* @author Sunitha Reddy, SUN Microsystems * @author Sunitha Reddy, SUN Microsystems
* @LastModified: Aug 2021 * @LastModified: July 2023
*/ */
public abstract class XMLScanner public abstract class XMLScanner
implements XMLComponent { implements XMLComponent {

View File

@ -1,4 +1,7 @@
# #
# Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
#
#
# Licensed to the Apache Software Foundation (ASF) under one or more # Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with # contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership. # this work for additional information regarding copyright ownership.
@ -323,3 +326,8 @@
# Catalog 09 # Catalog 09
# Technical term, do not translate: catalog # Technical term, do not translate: catalog
CatalogException=JAXP00090001: The CatalogResolver is enabled with the catalog \"{0}\", but a CatalogException is returned. CatalogException=JAXP00090001: The CatalogResolver is enabled with the catalog \"{0}\", but a CatalogException is returned.
# Implementation Property DTD
JDK_DTD_DENY = JAXP00010008: DOCTYPE is disallowed when the DTD property is set to deny. \
Refer to: property jdk.xml.dtd.support in java.xml/module-summary.

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2011, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2011, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -41,7 +41,6 @@ import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException; import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
import com.sun.org.apache.xerces.internal.util.XMLSymbols; import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.QName; import com.sun.org.apache.xerces.internal.xni.QName;
import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.XNIException;
@ -76,7 +75,7 @@ import java.util.StringTokenizer;
import java.util.WeakHashMap; import java.util.WeakHashMap;
import javax.xml.XMLConstants; import javax.xml.XMLConstants;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkXmlFeatures; import jdk.xml.internal.XMLSecurityManager;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
import jdk.xml.internal.SecuritySupport; import jdk.xml.internal.SecuritySupport;
import org.w3c.dom.DOMConfiguration; import org.w3c.dom.DOMConfiguration;
@ -103,7 +102,7 @@ import org.xml.sax.InputSource;
* @xerces.internal * @xerces.internal
* *
* @author Neil Graham, IBM * @author Neil Graham, IBM
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
public class XMLSchemaLoader implements XMLGrammarLoader, XMLComponent, XSElementDeclHelper, public class XMLSchemaLoader implements XMLGrammarLoader, XMLComponent, XSElementDeclHelper,

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2011, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -25,16 +25,16 @@ import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter; import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
import com.sun.org.apache.xerces.internal.impl.dtd.models.CMNode; import com.sun.org.apache.xerces.internal.impl.dtd.models.CMNode;
import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter; import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager; import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException; import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
import jdk.xml.internal.XMLSecurityManager;
/** /**
* *
* @xerces.internal * @xerces.internal
* *
* @author Neeraj Bajaj * @author Neeraj Bajaj
* * @LastModified: July 2023
*/ */
public class CMNodeFactory { public class CMNodeFactory {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2016, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -34,7 +34,6 @@ import com.sun.org.apache.xerces.internal.util.DOMUtil;
import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.XMLChar; import com.sun.org.apache.xerces.internal.util.XMLChar;
import com.sun.org.apache.xerces.internal.util.XMLSymbols; import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.QName; import com.sun.org.apache.xerces.internal.xni.QName;
import com.sun.org.apache.xerces.internal.xs.XSConstants; import com.sun.org.apache.xerces.internal.xs.XSConstants;
import java.util.ArrayList; import java.util.ArrayList;
@ -42,6 +41,7 @@ import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.StringTokenizer; import java.util.StringTokenizer;
import jdk.xml.internal.XMLSecurityManager;
import org.w3c.dom.Attr; import org.w3c.dom.Attr;
import org.w3c.dom.Element; import org.w3c.dom.Element;
@ -67,7 +67,7 @@ import org.w3c.dom.Element;
* @xerces.internal * @xerces.internal
* *
* @author Sandy Gao, IBM * @author Sandy Gao, IBM
* @LastModified: Apr 2022 * @LastModified: July 2023
*/ */
public class XSAttributeChecker { public class XSAttributeChecker {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2007, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -62,7 +62,6 @@ import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException; import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
import com.sun.org.apache.xerces.internal.util.XMLChar; import com.sun.org.apache.xerces.internal.util.XMLChar;
import com.sun.org.apache.xerces.internal.util.XMLSymbols; import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.QName; import com.sun.org.apache.xerces.internal.xni.QName;
import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.XNIException;
@ -109,6 +108,7 @@ import javax.xml.stream.XMLStreamReader;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
import jdk.xml.internal.SecuritySupport; import jdk.xml.internal.SecuritySupport;
import jdk.xml.internal.XMLSecurityManager;
import org.w3c.dom.Document; import org.w3c.dom.Document;
import org.w3c.dom.Element; import org.w3c.dom.Element;
import org.w3c.dom.Node; import org.w3c.dom.Node;
@ -131,7 +131,7 @@ import org.xml.sax.XMLReader;
* @author Neil Graham, IBM * @author Neil Graham, IBM
* @author Pavani Mukthipudi, Sun Microsystems * @author Pavani Mukthipudi, Sun Microsystems
* *
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
@SuppressWarnings("deprecation") //org.xml.sax.helpers.XMLReaderFactory @SuppressWarnings("deprecation") //org.xml.sax.helpers.XMLReaderFactory
public class XSDHandler { public class XSDHandler {
@ -2283,8 +2283,10 @@ public class XSDHandler {
catch (SAXException se) {} catch (SAXException se) {}
} }
else { else {
parser = JdkXmlUtils.getXMLReader(fOverrideDefaultParser, parser = JdkXmlUtils.getXMLReader(fSecurityManager,
fSecurityManager.isSecureProcessing()); fOverrideDefaultParser, fSecurityManager.isSecureProcessing(),
fUseCatalog,
JdkXmlUtils.getCatalogFeatures(fDefer, fCatalogFile, fPrefer, fResolve));
try { try {
parser.setFeature(NAMESPACE_PREFIXES, true); parser.setFeature(NAMESPACE_PREFIXES, true);

View File

@ -22,7 +22,6 @@ package com.sun.org.apache.xerces.internal.jaxp;
import com.sun.org.apache.xerces.internal.parsers.DOMParser; import com.sun.org.apache.xerces.internal.parsers.DOMParser;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter; import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
@ -32,6 +31,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.ParserConfigurationException;
import javax.xml.validation.Schema; import javax.xml.validation.Schema;
import jdk.xml.internal.JdkProperty; import jdk.xml.internal.JdkProperty;
import jdk.xml.internal.XMLSecurityManager;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
import org.xml.sax.SAXNotRecognizedException; import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException; import org.xml.sax.SAXNotSupportedException;
@ -39,7 +39,7 @@ import org.xml.sax.SAXNotSupportedException;
/** /**
* @author Rajiv Mordani * @author Rajiv Mordani
* @author Edwin Goei * @author Edwin Goei
* @LastModified: Mar 2023 * @LastModified: July 2023
*/ */
public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory { public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory {
/** These are DocumentBuilderFactory attributes not DOM attributes */ /** These are DocumentBuilderFactory attributes not DOM attributes */
@ -79,6 +79,8 @@ public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory {
} }
try { try {
// read system properties for compatibility
fSecurityManager.readSystemProperties();
return new DocumentBuilderImpl(this, attributes, features, fSecureProcess); return new DocumentBuilderImpl(this, attributes, features, fSecureProcess);
} catch (SAXException se) { } catch (SAXException se) {
// Handles both SAXNotSupportedException, SAXNotRecognizedException // Handles both SAXNotSupportedException, SAXNotRecognizedException
@ -232,6 +234,7 @@ public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory {
"jaxp-secureprocessing-feature", null)); "jaxp-secureprocessing-feature", null));
} }
fSecureProcess = value; fSecureProcess = value;
fSecurityManager.setSecureProcessing(fSecureProcess);
features.put(name, value ? Boolean.TRUE : Boolean.FALSE); features.put(name, value ? Boolean.TRUE : Boolean.FALSE);
return; return;
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2007, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -35,7 +35,6 @@ import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager;
import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator; import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer; import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
import com.sun.org.apache.xerces.internal.parsers.DOMParser; import com.sun.org.apache.xerces.internal.parsers.DOMParser;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.Property; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.Property;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.State; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.State;
@ -47,6 +46,7 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLDocumentSource;
import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration; import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkProperty; import jdk.xml.internal.JdkProperty;
import jdk.xml.internal.XMLSecurityManager;
import org.w3c.dom.DOMImplementation; import org.w3c.dom.DOMImplementation;
import org.w3c.dom.Document; import org.w3c.dom.Document;
import org.xml.sax.EntityResolver; import org.xml.sax.EntityResolver;
@ -59,7 +59,7 @@ import org.xml.sax.SAXNotSupportedException;
/** /**
* @author Rajiv Mordani * @author Rajiv Mordani
* @author Edwin Goei * @author Edwin Goei
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
public class DocumentBuilderImpl extends DocumentBuilder public class DocumentBuilderImpl extends DocumentBuilder
implements JAXPConstants implements JAXPConstants
@ -140,6 +140,12 @@ public class DocumentBuilderImpl extends DocumentBuilder
{ {
domParser = new DOMParser(); domParser = new DOMParser();
fSecurityPropertyMgr = new XMLSecurityPropertyManager();
domParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
fSecurityManager = dbf.fSecurityManager;
domParser.setProperty(SECURITY_MANAGER, fSecurityManager);
// If validating, provide a default ErrorHandler that prints // If validating, provide a default ErrorHandler that prints
// validation errors with a warning telling the user to set an // validation errors with a warning telling the user to set an
// ErrorHandler // ErrorHandler
@ -173,12 +179,6 @@ public class DocumentBuilderImpl extends DocumentBuilder
domParser.setFeature(XINCLUDE_FEATURE, true); domParser.setFeature(XINCLUDE_FEATURE, true);
} }
fSecurityPropertyMgr = new XMLSecurityPropertyManager();
domParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
fSecurityManager = new XMLSecurityManager(secureProcessing);
domParser.setProperty(SECURITY_MANAGER, fSecurityManager);
if (secureProcessing) { if (secureProcessing) {
/** /**
* If secure processing is explicitly set on the factory, the * If secure processing is explicitly set on the factory, the

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -22,6 +22,7 @@ package com.sun.org.apache.xerces.internal.jaxp;
import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter; import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import javax.xml.XMLConstants; import javax.xml.XMLConstants;
@ -29,6 +30,7 @@ import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory; import javax.xml.parsers.SAXParserFactory;
import javax.xml.validation.Schema; import javax.xml.validation.Schema;
import jdk.xml.internal.XMLSecurityManager;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
import org.xml.sax.SAXNotRecognizedException; import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException; import org.xml.sax.SAXNotSupportedException;
@ -41,6 +43,7 @@ import org.xml.sax.SAXNotSupportedException;
* @author Rajiv Mordani * @author Rajiv Mordani
* @author Edwin Goei * @author Edwin Goei
* *
* @LastModified: July 2023
*/ */
public class SAXParserFactoryImpl extends SAXParserFactory { public class SAXParserFactoryImpl extends SAXParserFactory {
@ -65,6 +68,10 @@ public class SAXParserFactoryImpl extends SAXParserFactory {
*/ */
private boolean fSecureProcess = true; private boolean fSecureProcess = true;
// Security Managers
XMLSecurityManager fSecurityManager = new XMLSecurityManager(true);
XMLSecurityPropertyManager fSecurityPropertyMgr = new XMLSecurityPropertyManager();
/** /**
* Creates a new instance of <code>SAXParser</code> using the currently * Creates a new instance of <code>SAXParser</code> using the currently
* configured factory parameters. * configured factory parameters.
@ -75,6 +82,8 @@ public class SAXParserFactoryImpl extends SAXParserFactory {
{ {
SAXParser saxParserImpl; SAXParser saxParserImpl;
try { try {
// read system properties for compatibility
fSecurityManager.readSystemProperties();
saxParserImpl = new SAXParserImpl(this, features, fSecureProcess); saxParserImpl = new SAXParserImpl(this, features, fSecureProcess);
} catch (SAXException se) { } catch (SAXException se) {
// Translate to ParserConfigurationException // Translate to ParserConfigurationException
@ -122,6 +131,7 @@ public class SAXParserFactoryImpl extends SAXParserFactory {
"jaxp-secureprocessing-feature", null)); "jaxp-secureprocessing-feature", null));
} }
fSecureProcess = value; fSecureProcess = value;
fSecurityManager.setSecureProcessing(fSecureProcess);
putInFeatures(name, value); putInFeatures(name, value);
return; return;
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2010, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2010, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -26,7 +26,6 @@ import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer; import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter; import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler; import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent; import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
@ -45,6 +44,7 @@ import javax.xml.XMLConstants;
import javax.xml.validation.Schema; import javax.xml.validation.Schema;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkProperty; import jdk.xml.internal.JdkProperty;
import jdk.xml.internal.XMLSecurityManager;
import org.xml.sax.EntityResolver; import org.xml.sax.EntityResolver;
import org.xml.sax.ErrorHandler; import org.xml.sax.ErrorHandler;
import org.xml.sax.HandlerBase; import org.xml.sax.HandlerBase;
@ -63,7 +63,7 @@ import org.xml.sax.helpers.DefaultHandler;
* @author Rajiv Mordani * @author Rajiv Mordani
* @author Edwin Goei * @author Edwin Goei
* *
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
@SuppressWarnings("deprecation") @SuppressWarnings("deprecation")
public class SAXParserImpl extends javax.xml.parsers.SAXParser public class SAXParserImpl extends javax.xml.parsers.SAXParser
@ -131,8 +131,8 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
SAXParserImpl(SAXParserFactoryImpl spf, Map<String, Boolean> features, boolean secureProcessing) SAXParserImpl(SAXParserFactoryImpl spf, Map<String, Boolean> features, boolean secureProcessing)
throws SAXException throws SAXException
{ {
fSecurityManager = new XMLSecurityManager(secureProcessing); fSecurityManager = spf.fSecurityManager;
fSecurityPropertyMgr = new XMLSecurityPropertyManager(); fSecurityPropertyMgr = spf.fSecurityPropertyMgr;
// Instantiate a SAXParser directly and not through SAX so that we use the right ClassLoader // Instantiate a SAXParser directly and not through SAX so that we use the right ClassLoader
xmlReader = new JAXPSAXParser(this, fSecurityPropertyMgr, fSecurityManager); xmlReader = new JAXPSAXParser(this, fSecurityPropertyMgr, fSecurityManager);
@ -412,23 +412,24 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
*/ */
if (fSecurityManager == null) { if (fSecurityManager == null) {
fSecurityManager = new XMLSecurityManager(true); fSecurityManager = new XMLSecurityManager(true);
try {
super.setProperty(SECURITY_MANAGER, fSecurityManager);
} catch (SAXException e) {
throw new UnsupportedOperationException(
SAXMessageFormatter.formatMessage(fConfiguration.getLocale(),
"property-not-recognized", new Object [] {SECURITY_MANAGER}), e);
}
} }
try {
super.setProperty(SECURITY_MANAGER, fSecurityManager);
} catch (SAXException e) {
throw new UnsupportedOperationException(
SAXMessageFormatter.formatMessage(fConfiguration.getLocale(),
"property-not-recognized", new Object [] {SECURITY_MANAGER}), e);
}
if (fSecurityPropertyMgr == null) { if (fSecurityPropertyMgr == null) {
fSecurityPropertyMgr = new XMLSecurityPropertyManager(); fSecurityPropertyMgr = new XMLSecurityPropertyManager();
try { }
super.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); try {
} catch (SAXException e) { super.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
throw new UnsupportedOperationException( } catch (SAXException e) {
SAXMessageFormatter.formatMessage(fConfiguration.getLocale(), throw new UnsupportedOperationException(
"property-not-recognized", new Object [] {SECURITY_MANAGER}), e); SAXMessageFormatter.formatMessage(fConfiguration.getLocale(),
} "property-not-recognized", new Object [] {XML_SECURITY_PROPERTY_MANAGER}), e);
} }
} }
@ -562,6 +563,11 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
setSchemaValidatorProperty(name, value); setSchemaValidatorProperty(name, value);
} }
if (SECURITY_MANAGER.equals(name)) {
fSecurityManager = XMLSecurityManager.convert(value, fSecurityManager);
super.setProperty(name, value);
}
//check if the property is managed by security manager //check if the property is managed by security manager
if (fSecurityManager == null || if (fSecurityManager == null ||
!fSecurityManager.setLimit(name, JdkProperty.State.APIPROPERTY, value)) { !fSecurityManager.setLimit(name, JdkProperty.State.APIPROPERTY, value)) {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -26,7 +26,6 @@
package com.sun.org.apache.xerces.internal.jaxp.validation; package com.sun.org.apache.xerces.internal.jaxp.validation;
import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import java.io.IOException; import java.io.IOException;
import javax.xml.transform.Result; import javax.xml.transform.Result;
import javax.xml.transform.Source; import javax.xml.transform.Source;
@ -40,6 +39,7 @@ import javax.xml.transform.sax.TransformerHandler;
import javax.xml.transform.stax.StAXResult; import javax.xml.transform.stax.StAXResult;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
import jdk.xml.internal.XMLSecurityManager;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
/** /**
@ -69,22 +69,9 @@ public final class StAXValidatorHelper implements ValidatorHelper {
if( identityTransformer1==null ) { if( identityTransformer1==null ) {
try { try {
SAXTransformerFactory tf = JdkXmlUtils.getSAXTransformFactory( SAXTransformerFactory tf = JdkXmlUtils.getSAXTransformFactory(
(XMLSecurityManager)fComponentManager.getProperty(Constants.SECURITY_MANAGER),
fComponentManager.getFeature(JdkConstants.OVERRIDE_PARSER)); fComponentManager.getFeature(JdkConstants.OVERRIDE_PARSER));
XMLSecurityManager securityManager =
(XMLSecurityManager)fComponentManager.getProperty(Constants.SECURITY_MANAGER);
if (securityManager != null) {
for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) {
if (securityManager.isSet(limit.ordinal())){
tf.setAttribute(limit.apiProperty(),
securityManager.getLimitValueAsString(limit));
}
}
if (securityManager.printEntityCountInfo()) {
tf.setAttribute(JdkConstants.JDK_DEBUG_LIMIT, "yes");
}
}
identityTransformer1 = tf.newTransformer(); identityTransformer1 = tf.newTransformer();
identityTransformer2 = tf.newTransformerHandler(); identityTransformer2 = tf.newTransformerHandler();
} catch (TransformerConfigurationException e) { } catch (TransformerConfigurationException e) {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -23,7 +23,7 @@ import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter; import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter; import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
import com.sun.org.apache.xerces.internal.parsers.XML11Configuration; import com.sun.org.apache.xerces.internal.parsers.XML11Configuration;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager; import jdk.xml.internal.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource; import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource;
import com.sun.org.apache.xerces.internal.xni.parser.XMLParseException; import com.sun.org.apache.xerces.internal.xni.parser.XMLParseException;
@ -31,18 +31,15 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
import java.io.IOException; import java.io.IOException;
import java.lang.ref.SoftReference; import java.lang.ref.SoftReference;
import javax.xml.XMLConstants; import javax.xml.XMLConstants;
import javax.xml.catalog.CatalogFeatures;
import javax.xml.transform.Result; import javax.xml.transform.Result;
import javax.xml.transform.Source; import javax.xml.transform.Source;
import javax.xml.transform.TransformerConfigurationException; import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.TransformerFactoryConfigurationError; import javax.xml.transform.TransformerFactoryConfigurationError;
import javax.xml.transform.sax.SAXTransformerFactory; import javax.xml.transform.sax.SAXTransformerFactory;
import javax.xml.transform.sax.TransformerHandler; import javax.xml.transform.sax.TransformerHandler;
import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource; import javax.xml.transform.stream.StreamSource;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkXmlFeatures;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
@ -52,7 +49,7 @@ import org.xml.sax.SAXException;
* *
* @author Michael Glavassevich, IBM * @author Michael Glavassevich, IBM
* @author Sunitha Reddy * @author Sunitha Reddy
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
final class StreamValidatorHelper implements ValidatorHelper { final class StreamValidatorHelper implements ValidatorHelper {
@ -141,6 +138,7 @@ final class StreamValidatorHelper implements ValidatorHelper {
if (result != null) { if (result != null) {
try { try {
SAXTransformerFactory tf = JdkXmlUtils.getSAXTransformFactory( SAXTransformerFactory tf = JdkXmlUtils.getSAXTransformFactory(
(XMLSecurityManager)fComponentManager.getProperty(Constants.SECURITY_MANAGER),
fComponentManager.getFeature(JdkConstants.OVERRIDE_PARSER)); fComponentManager.getFeature(JdkConstants.OVERRIDE_PARSER));
identityTransformerHandler = tf.newTransformerHandler(); identityTransformerHandler = tf.newTransformerHandler();

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -27,7 +27,6 @@ import com.sun.org.apache.xerces.internal.impl.dv.XSSimpleType;
import com.sun.org.apache.xerces.internal.impl.validation.EntityState; import com.sun.org.apache.xerces.internal.impl.validation.EntityState;
import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager; import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager;
import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator; import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
import com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl;
import com.sun.org.apache.xerces.internal.util.AttributesProxy; import com.sun.org.apache.xerces.internal.util.AttributesProxy;
import com.sun.org.apache.xerces.internal.util.SAXLocatorWrapper; import com.sun.org.apache.xerces.internal.util.SAXLocatorWrapper;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter; import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
@ -36,7 +35,6 @@ import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.URI; import com.sun.org.apache.xerces.internal.util.URI;
import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl; import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
import com.sun.org.apache.xerces.internal.util.XMLSymbols; import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations; import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext; import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
@ -63,7 +61,6 @@ import java.util.HashMap;
import java.util.Map; import java.util.Map;
import javax.xml.XMLConstants; import javax.xml.XMLConstants;
import javax.xml.parsers.FactoryConfigurationError; import javax.xml.parsers.FactoryConfigurationError;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.Result; import javax.xml.transform.Result;
import javax.xml.transform.Source; import javax.xml.transform.Source;
import javax.xml.transform.sax.SAXResult; import javax.xml.transform.sax.SAXResult;
@ -71,6 +68,7 @@ import javax.xml.transform.sax.SAXSource;
import javax.xml.validation.TypeInfoProvider; import javax.xml.validation.TypeInfoProvider;
import javax.xml.validation.ValidatorHandler; import javax.xml.validation.ValidatorHandler;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.XMLSecurityManager;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
import org.w3c.dom.TypeInfo; import org.w3c.dom.TypeInfo;
import org.w3c.dom.ls.LSInput; import org.w3c.dom.ls.LSInput;
@ -95,7 +93,7 @@ import org.xml.sax.ext.EntityResolver2;
* @author Kohsuke Kawaguchi * @author Kohsuke Kawaguchi
* @author Michael Glavassevich, IBM * @author Michael Glavassevich, IBM
* *
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
final class ValidatorHandlerImpl extends ValidatorHandler implements final class ValidatorHandlerImpl extends ValidatorHandler implements
DTDHandler, EntityState, PSVIProvider, ValidatorHelper, XMLDocumentHandler { DTDHandler, EntityState, PSVIProvider, ValidatorHelper, XMLDocumentHandler {
@ -676,8 +674,12 @@ final class ValidatorHandlerImpl extends ValidatorHandler implements
XMLReader reader = saxSource.getXMLReader(); XMLReader reader = saxSource.getXMLReader();
if( reader==null ) { if( reader==null ) {
// create one now // create one now
reader = JdkXmlUtils.getXMLReader(fComponentManager.getFeature(JdkConstants.OVERRIDE_PARSER), reader = JdkXmlUtils.getXMLReader(
fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)); (XMLSecurityManager)fComponentManager.getProperty(SECURITY_MANAGER),
fComponentManager.getFeature(JdkConstants.OVERRIDE_PARSER),
fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING),
fComponentManager.getFeature(XMLConstants.USE_CATALOG),
null);
try { try {
// If this is a Xerces SAX parser, set the security manager if there is one // If this is a Xerces SAX parser, set the security manager if there is one

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2007, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -30,7 +30,6 @@ import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
import com.sun.org.apache.xerces.internal.util.StAXInputSource; import com.sun.org.apache.xerces.internal.util.StAXInputSource;
import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl; import com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.Grammar; import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
@ -56,6 +55,7 @@ import jdk.xml.internal.JdkProperty;
import jdk.xml.internal.JdkProperty.ImplPropMap; import jdk.xml.internal.JdkProperty.ImplPropMap;
import jdk.xml.internal.JdkXmlFeatures; import jdk.xml.internal.JdkXmlFeatures;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
import jdk.xml.internal.XMLSecurityManager;
import org.w3c.dom.Node; import org.w3c.dom.Node;
import org.w3c.dom.ls.LSResourceResolver; import org.w3c.dom.ls.LSResourceResolver;
import org.xml.sax.ErrorHandler; import org.xml.sax.ErrorHandler;
@ -70,7 +70,7 @@ import org.xml.sax.SAXParseException;
* *
* @author Kohsuke Kawaguchi * @author Kohsuke Kawaguchi
* *
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
public final class XMLSchemaFactory extends SchemaFactory { public final class XMLSchemaFactory extends SchemaFactory {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2006, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2006, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -41,7 +41,6 @@ import com.sun.org.apache.xerces.internal.util.PropertyState;
import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext; import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent; import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
@ -50,7 +49,7 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
import javax.xml.catalog.CatalogFeatures; import javax.xml.catalog.CatalogFeatures;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkProperty; import jdk.xml.internal.JdkProperty;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.XMLSecurityManager;
import org.w3c.dom.ls.LSResourceResolver; import org.w3c.dom.ls.LSResourceResolver;
import org.xml.sax.ErrorHandler; import org.xml.sax.ErrorHandler;
@ -58,7 +57,7 @@ import org.xml.sax.ErrorHandler;
* <p>An implementation of XMLComponentManager for a schema validator.</p> * <p>An implementation of XMLComponentManager for a schema validator.</p>
* *
* @author Michael Glavassevich, IBM * @author Michael Glavassevich, IBM
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
final class XMLSchemaValidatorComponentManager extends ParserConfigurationSettings implements final class XMLSchemaValidatorComponentManager extends ParserConfigurationSettings implements
XMLComponentManager { XMLComponentManager {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2017, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -28,7 +28,6 @@ import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolHash; import com.sun.org.apache.xerces.internal.util.SymbolHash;
import com.sun.org.apache.xerces.internal.util.XMLSymbols; import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations; import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext; import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.QName; import com.sun.org.apache.xerces.internal.xni.QName;
@ -50,6 +49,8 @@ import java.io.CharConversionException;
import java.io.IOException; import java.io.IOException;
import java.util.Locale; import java.util.Locale;
import javax.xml.XMLConstants; import javax.xml.XMLConstants;
import jdk.xml.internal.JdkProperty;
import jdk.xml.internal.XMLSecurityManager;
import org.xml.sax.AttributeList; import org.xml.sax.AttributeList;
import org.xml.sax.ContentHandler; import org.xml.sax.ContentHandler;
import org.xml.sax.DTDHandler; import org.xml.sax.DTDHandler;
@ -78,7 +79,7 @@ import org.xml.sax.helpers.LocatorImpl;
* @author Arnaud Le Hors, IBM * @author Arnaud Le Hors, IBM
* @author Andy Clark, IBM * @author Andy Clark, IBM
* *
* @LastModified: Sep 2019 * @LastModified: July 2023
*/ */
@SuppressWarnings("deprecation") @SuppressWarnings("deprecation")
public abstract class AbstractSAXParser public abstract class AbstractSAXParser
@ -1669,11 +1670,11 @@ public abstract class AbstractSAXParser
} }
} }
// // Handle security setting
// Default handling if (!securityManager.setLimit(featureId, JdkProperty.State.APIPROPERTY, state)) {
// //fall back to the default configuration
fConfiguration.setFeature(featureId, state);
fConfiguration.setFeature(featureId, state); }
} }
catch (XMLConfigurationException e) { catch (XMLConfigurationException e) {
String identifier = e.getIdentifier(); String identifier = e.getIdentifier();

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -29,7 +29,6 @@ import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter; import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool; import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
@ -42,6 +41,7 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
import java.io.CharConversionException; import java.io.CharConversionException;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkProperty; import jdk.xml.internal.JdkProperty;
import jdk.xml.internal.XMLSecurityManager;
import org.w3c.dom.Node; import org.w3c.dom.Node;
import org.xml.sax.EntityResolver; import org.xml.sax.EntityResolver;
import org.xml.sax.ErrorHandler; import org.xml.sax.ErrorHandler;
@ -60,7 +60,7 @@ import org.xml.sax.helpers.LocatorImpl;
* *
* @author Arnaud Le Hors, IBM * @author Arnaud Le Hors, IBM
* @author Andy Clark, IBM * @author Andy Clark, IBM
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
public class DOMParser public class DOMParser
extends AbstractDOMParser { extends AbstractDOMParser {
@ -450,11 +450,11 @@ public class DOMParser
return; return;
} }
// if (!securityManager.setLimit(featureId, JdkProperty.State.APIPROPERTY, state)) {
// Default handling //fall back to the default configuration
// fConfiguration.setFeature(featureId, state);
}
fConfiguration.setFeature(featureId, state);
} }
catch (XMLConfigurationException e) { catch (XMLConfigurationException e) {
String identifier = e.getIdentifier(); String identifier = e.getIdentifier();

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -22,12 +22,12 @@ package com.sun.org.apache.xerces.internal.parsers;
import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool; import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration; import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkProperty; import jdk.xml.internal.JdkProperty;
import jdk.xml.internal.XMLSecurityManager;
import org.xml.sax.SAXNotRecognizedException; import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException; import org.xml.sax.SAXNotSupportedException;
@ -39,7 +39,7 @@ import org.xml.sax.SAXNotSupportedException;
* @author Arnaud Le Hors, IBM * @author Arnaud Le Hors, IBM
* @author Andy Clark, IBM * @author Andy Clark, IBM
* *
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
public class SAXParser public class SAXParser
extends AbstractSAXParser { extends AbstractSAXParser {

View File

@ -1,6 +1,5 @@
/* /*
* reserved comment block * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT REMOVE OR ALTER!
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -25,7 +24,7 @@ import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool; import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager; import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager; import jdk.xml.internal.XMLSecurityManager;
/** /**
* This configuration allows Xerces to behave in a security-conscious manner; that is, * This configuration allows Xerces to behave in a security-conscious manner; that is,
@ -44,7 +43,7 @@ import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
* </ul> * </ul>
* *
* @author Neil Graham, IBM * @author Neil Graham, IBM
* * @LastModified: July 2023
*/ */
public class SecurityConfiguration extends XIncludeAwareParserConfiguration public class SecurityConfiguration extends XIncludeAwareParserConfiguration
{ {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -23,13 +23,12 @@ package com.sun.org.apache.xerces.internal.parsers;
import java.io.IOException; import java.io.IOException;
import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource; import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource;
import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration; import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.XMLSecurityManager;
import org.xml.sax.SAXNotSupportedException; import org.xml.sax.SAXNotSupportedException;
import org.xml.sax.SAXNotRecognizedException; import org.xml.sax.SAXNotRecognizedException;
@ -49,7 +48,7 @@ import org.xml.sax.SAXNotRecognizedException;
* *
* @author Arnaud Le Hors, IBM * @author Arnaud Le Hors, IBM
* @author Andy Clark, IBM * @author Andy Clark, IBM
* @LastModified: May 2021 * @LastModified: July 2023
*/ */
public abstract class XMLParser { public abstract class XMLParser {

View File

@ -1,251 +0,0 @@
/*
* Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package com.sun.org.apache.xerces.internal.utils;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit;
import java.util.Formatter;
import java.util.HashMap;
import java.util.Map;
import jdk.xml.internal.JdkConstants;
/**
* A helper for analyzing entity expansion limits
*
* @author Joe Wang Oracle Corp.
*
*/
public final class XMLLimitAnalyzer {
/**
* Map old property names with the new ones
*/
public static enum NameMap {
ENTITY_EXPANSION_LIMIT(JdkConstants.SP_ENTITY_EXPANSION_LIMIT, JdkConstants.ENTITY_EXPANSION_LIMIT),
MAX_OCCUR_NODE_LIMIT(JdkConstants.SP_MAX_OCCUR_LIMIT, JdkConstants.MAX_OCCUR_LIMIT),
ELEMENT_ATTRIBUTE_LIMIT(JdkConstants.SP_ELEMENT_ATTRIBUTE_LIMIT, JdkConstants.ELEMENT_ATTRIBUTE_LIMIT);
final String newName;
final String oldName;
NameMap(String newName, String oldName) {
this.newName = newName;
this.oldName = oldName;
}
String getOldName(String newName) {
if (newName.equals(this.newName)) {
return oldName;
}
return null;
}
}
/**
* Max value accumulated for each property
*/
private final int[] values;
/**
* Names of the entities corresponding to their max values
*/
private final String[] names;
/**
* Total value of accumulated entities
*/
private final int[] totalValue;
/**
* Maintain values of the top 10 elements in the process of parsing
*/
private final Map<String, Integer>[] caches;
private String entityStart, entityEnd;
/**
* Default constructor. Establishes default values for known security
* vulnerabilities.
*/
@SuppressWarnings({"rawtypes", "unchecked"})
public XMLLimitAnalyzer() {
values = new int[Limit.values().length];
totalValue = new int[Limit.values().length];
names = new String[Limit.values().length];
caches = new Map[Limit.values().length];
}
/**
* Add the value to the current max count for the specified property
* To find the max value of all entities, set no limit
*
* @param limit the type of the property
* @param entityName the name of the entity
* @param value the value of the entity
*/
public void addValue(Limit limit, String entityName, int value) {
addValue(limit.ordinal(), entityName, value);
}
/**
* Add the value to the current count by the index of the property
* @param index the index of the property
* @param entityName the name of the entity
* @param value the value of the entity
*/
public void addValue(int index, String entityName, int value) {
if (index == Limit.ENTITY_EXPANSION_LIMIT.ordinal() ||
index == Limit.MAX_OCCUR_NODE_LIMIT.ordinal() ||
index == Limit.ELEMENT_ATTRIBUTE_LIMIT.ordinal() ||
index == Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal() ||
index == Limit.ENTITY_REPLACEMENT_LIMIT.ordinal()
) {
totalValue[index] += value;
return;
}
if (index == Limit.MAX_ELEMENT_DEPTH_LIMIT.ordinal() ||
index == Limit.MAX_NAME_LIMIT.ordinal()) {
values[index] = value;
totalValue[index] = value;
return;
}
Map<String, Integer> cache;
if (caches[index] == null) {
cache = new HashMap<>(10);
caches[index] = cache;
} else {
cache = caches[index];
}
int accumulatedValue = value;
if (cache.containsKey(entityName)) {
accumulatedValue += cache.get(entityName);
cache.put(entityName, accumulatedValue);
} else {
cache.put(entityName, value);
}
if (accumulatedValue > values[index]) {
values[index] = accumulatedValue;
names[index] = entityName;
}
if (index == Limit.GENERAL_ENTITY_SIZE_LIMIT.ordinal() ||
index == Limit.PARAMETER_ENTITY_SIZE_LIMIT.ordinal()) {
totalValue[Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()] += value;
}
}
/**
* Return the value of the current max count for the specified property
*
* @param limit the property
* @return the value of the property
*/
public int getValue(Limit limit) {
return getValue(limit.ordinal());
}
public int getValue(int index) {
if (index == Limit.ENTITY_REPLACEMENT_LIMIT.ordinal()) {
return totalValue[index];
}
return values[index];
}
/**
* Return the total value accumulated so far
*
* @param limit the property
* @return the accumulated value of the property
*/
public int getTotalValue(Limit limit) {
return totalValue[limit.ordinal()];
}
public int getTotalValue(int index) {
return totalValue[index];
}
/**
* Return the current max value (count or length) by the index of a property
* @param index the index of a property
* @return count of a property
*/
public int getValueByIndex(int index) {
return values[index];
}
public void startEntity(String name) {
entityStart = name;
}
public boolean isTracking(String name) {
if (entityStart == null) {
return false;
}
return entityStart.equals(name);
}
/**
* Stop tracking the entity
* @param limit the limit property
* @param name the name of an entity
*/
public void endEntity(Limit limit, String name) {
entityStart = "";
Map<String, Integer> cache = caches[limit.ordinal()];
if (cache != null) {
cache.remove(name);
}
}
/**
* Resets the current value of the specified limit.
* @param limit The limit to be reset.
*/
public void reset(Limit limit) {
if (limit.ordinal() == Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()) {
totalValue[limit.ordinal()] = 0;
} else if (limit.ordinal() == Limit.GENERAL_ENTITY_SIZE_LIMIT.ordinal()) {
names[limit.ordinal()] = null;
values[limit.ordinal()] = 0;
caches[limit.ordinal()] = null;
totalValue[limit.ordinal()] = 0;
}
}
public void debugPrint(XMLSecurityManager securityManager) {
Formatter formatter = new Formatter();
System.out.println(formatter.format("%30s %15s %15s %15s %30s",
"Property","Limit","Total size","Size","Entity Name"));
for (Limit limit : Limit.values()) {
formatter = new Formatter();
System.out.println(formatter.format("%30s %15d %15d %15d %30s",
limit.name(),
securityManager.getLimit(limit),
totalValue[limit.ordinal()],
values[limit.ordinal()],
names[limit.ordinal()]));
}
}
}

View File

@ -1,638 +0,0 @@
/*
* Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package com.sun.org.apache.xerces.internal.utils;
import com.sun.org.apache.xerces.internal.util.SecurityManager;
import java.util.concurrent.CopyOnWriteArrayList;
import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkProperty.State;
import jdk.xml.internal.JdkProperty.ImplPropMap;
import jdk.xml.internal.SecuritySupport;
import org.xml.sax.SAXException;
/**
* This class manages standard and implementation-specific limitations.
*
*/
public final class XMLSecurityManager {
/**
* Limits managed by the security manager
*/
@SuppressWarnings("deprecation")
public static enum Limit {
ENTITY_EXPANSION_LIMIT("EntityExpansionLimit",
JdkConstants.JDK_ENTITY_EXPANSION_LIMIT, JdkConstants.SP_ENTITY_EXPANSION_LIMIT, 0, 64000),
MAX_OCCUR_NODE_LIMIT("MaxOccurLimit",
JdkConstants.JDK_MAX_OCCUR_LIMIT, JdkConstants.SP_MAX_OCCUR_LIMIT, 0, 5000),
ELEMENT_ATTRIBUTE_LIMIT("ElementAttributeLimit",
JdkConstants.JDK_ELEMENT_ATTRIBUTE_LIMIT, JdkConstants.SP_ELEMENT_ATTRIBUTE_LIMIT, 0, 10000),
TOTAL_ENTITY_SIZE_LIMIT("TotalEntitySizeLimit",
JdkConstants.JDK_TOTAL_ENTITY_SIZE_LIMIT, JdkConstants.SP_TOTAL_ENTITY_SIZE_LIMIT, 0, 50000000),
GENERAL_ENTITY_SIZE_LIMIT("MaxEntitySizeLimit",
JdkConstants.JDK_GENERAL_ENTITY_SIZE_LIMIT, JdkConstants.SP_GENERAL_ENTITY_SIZE_LIMIT, 0, 0),
PARAMETER_ENTITY_SIZE_LIMIT("MaxEntitySizeLimit",
JdkConstants.JDK_PARAMETER_ENTITY_SIZE_LIMIT, JdkConstants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000),
MAX_ELEMENT_DEPTH_LIMIT("MaxElementDepthLimit",
JdkConstants.JDK_MAX_ELEMENT_DEPTH, JdkConstants.SP_MAX_ELEMENT_DEPTH, 0, 0),
MAX_NAME_LIMIT("MaxXMLNameLimit",
JdkConstants.JDK_XML_NAME_LIMIT, JdkConstants.SP_XML_NAME_LIMIT, 1000, 1000),
ENTITY_REPLACEMENT_LIMIT("EntityReplacementLimit",
JdkConstants.JDK_ENTITY_REPLACEMENT_LIMIT, JdkConstants.SP_ENTITY_REPLACEMENT_LIMIT, 0, 3000000);
final String key;
final String apiProperty;
final String systemProperty;
final int defaultValue;
final int secureValue;
Limit(String key, String apiProperty, String systemProperty, int value, int secureValue) {
this.key = key;
this.apiProperty = apiProperty;
this.systemProperty = systemProperty;
this.defaultValue = value;
this.secureValue = secureValue;
}
/**
* Checks whether the specified name is a limit. Checks both the
* property and System Property which is now the new property name.
*
* @param name the specified name
* @return true if there is a match, false otherwise
*/
public boolean is(String name) {
// current spec: new property name == systemProperty
return (systemProperty != null && systemProperty.equals(name)) ||
// current spec: apiProperty is legacy
(apiProperty.equals(name));
}
/**
* Returns the state of a property name. By the specification as of JDK 17,
* the "jdk.xml." prefixed System property name is also the current API
* name. The URI-based qName is legacy.
*
* @param name the property name
* @return the state of the property name, null if no match
*/
public State getState(String name) {
if (systemProperty != null && systemProperty.equals(name)) {
return State.APIPROPERTY;
} else if (apiProperty.equals(name)) {
//the URI-style qName is legacy
return State.LEGACY_APIPROPERTY;
}
return null;
}
public String key() {
return key;
}
public String apiProperty() {
return apiProperty;
}
public String systemProperty() {
return systemProperty;
}
public int defaultValue() {
return defaultValue;
}
int secureValue() {
return secureValue;
}
}
/**
* Map old property names with the new ones
*/
public static enum NameMap {
ENTITY_EXPANSION_LIMIT(JdkConstants.SP_ENTITY_EXPANSION_LIMIT, JdkConstants.ENTITY_EXPANSION_LIMIT),
MAX_OCCUR_NODE_LIMIT(JdkConstants.SP_MAX_OCCUR_LIMIT, JdkConstants.MAX_OCCUR_LIMIT),
ELEMENT_ATTRIBUTE_LIMIT(JdkConstants.SP_ELEMENT_ATTRIBUTE_LIMIT, JdkConstants.ELEMENT_ATTRIBUTE_LIMIT);
final String newName;
final String oldName;
NameMap(String newName, String oldName) {
this.newName = newName;
this.oldName = oldName;
}
String getOldName(String newName) {
if (newName.equals(this.newName)) {
return oldName;
}
return null;
}
}
private static final int NO_LIMIT = 0;
/**
* Values of the properties
*/
private final int[] values;
/**
* States of the settings for each property
*/
private State[] states;
/**
* Flag indicating if secure processing is set
*/
boolean secureProcessing;
/**
* States that determine if properties are set explicitly
*/
private boolean[] isSet;
/**
* Index of the special entityCountInfo property
*/
private final int indexEntityCountInfo = 10000;
private String printEntityCountInfo = "";
/**
* Default constructor. Establishes default values for known security
* vulnerabilities.
*/
public XMLSecurityManager() {
this(false);
}
/**
* Instantiate Security Manager in accordance with the status of
* secure processing
* @param secureProcessing
*/
public XMLSecurityManager(boolean secureProcessing) {
values = new int[Limit.values().length];
states = new State[Limit.values().length];
isSet = new boolean[Limit.values().length];
this.secureProcessing = secureProcessing;
for (Limit limit : Limit.values()) {
if (secureProcessing) {
values[limit.ordinal()] = limit.secureValue;
states[limit.ordinal()] = State.FSP;
} else {
values[limit.ordinal()] = limit.defaultValue();
states[limit.ordinal()] = State.DEFAULT;
}
}
//read system properties or jaxp.properties
readSystemProperties();
}
/**
* Setting FEATURE_SECURE_PROCESSING explicitly
*/
public void setSecureProcessing(boolean secure) {
secureProcessing = secure;
for (Limit limit : Limit.values()) {
if (secure) {
setLimit(limit.ordinal(), State.FSP, limit.secureValue());
} else {
setLimit(limit.ordinal(), State.FSP, limit.defaultValue());
}
}
}
/**
* Return the state of secure processing
* @return the state of secure processing
*/
public boolean isSecureProcessing() {
return secureProcessing;
}
/**
* Finds a limit's new name with the given property name.
* @param propertyName the property name specified
* @return the limit's new name if found, null otherwise
*/
public String find(String propertyName) {
for (Limit limit : Limit.values()) {
if (limit.is(propertyName)) {
// current spec: new property name == systemProperty
return limit.systemProperty();
}
}
//ENTITYCOUNT's new name is qName
if (ImplPropMap.ENTITYCOUNT.is(propertyName)) {
return ImplPropMap.ENTITYCOUNT.qName();
}
return null;
}
/**
* Set limit by property name and state
* @param propertyName property name
* @param state the state of the property
* @param value the value of the property
* @return true if the property is managed by the security manager; false
* if otherwise.
*/
public boolean setLimit(String propertyName, State state, Object value) {
int index = getIndex(propertyName);
if (index > -1) {
State pState = state;
if (index != indexEntityCountInfo && state == State.APIPROPERTY) {
pState = (Limit.values()[index]).getState(propertyName);
}
setLimit(index, pState, value);
return true;
}
return false;
}
/**
* Set the value for a specific limit.
*
* @param limit the limit
* @param state the state of the property
* @param value the value of the property
*/
public void setLimit(Limit limit, State state, int value) {
setLimit(limit.ordinal(), state, value);
}
/**
* Set the value of a property by its index
*
* @param index the index of the property
* @param state the state of the property
* @param value the value of the property
*/
public void setLimit(int index, State state, Object value) {
if (index == indexEntityCountInfo) {
printEntityCountInfo = (String)value;
} else {
int temp;
if (value instanceof Integer) {
temp = (Integer)value;
} else {
temp = Integer.parseInt((String) value);
if (temp < 0) {
temp = 0;
}
}
setLimit(index, state, temp);
}
}
/**
* Set the value of a property by its index
*
* @param index the index of the property
* @param state the state of the property
* @param value the value of the property
*/
public void setLimit(int index, State state, int value) {
if (index == indexEntityCountInfo) {
//if it's explicitly set, it's treated as yes no matter the value
printEntityCountInfo = JdkConstants.JDK_YES;
} else {
//only update if it shall override
if (state.compareTo(states[index]) >= 0) {
values[index] = value;
states[index] = state;
isSet[index] = true;
}
}
}
/**
* Return the value of the specified property
*
* @param propertyName the property name
* @return the value of the property as a string. If a property is managed
* by this manager, its value shall not be null.
*/
public String getLimitAsString(String propertyName) {
int index = getIndex(propertyName);
if (index > -1) {
return getLimitValueByIndex(index);
}
return null;
}
/**
* Return the value of the specified property
*
* @param limit the property
* @return the value of the property
*/
public int getLimit(Limit limit) {
return values[limit.ordinal()];
}
/**
* Return the value of a property by its ordinal
*
* @param limit the property
* @return value of a property
*/
public String getLimitValueAsString(Limit limit) {
return Integer.toString(values[limit.ordinal()]);
}
/**
* Return the value of a property by its ordinal
*
* @param index the index of a property
* @return limit of a property as a string
*/
public String getLimitValueByIndex(int index) {
if (index == indexEntityCountInfo) {
return printEntityCountInfo;
}
return Integer.toString(values[index]);
}
/**
* Return the state of the limit property
*
* @param limit the limit
* @return the state of the limit property
*/
public State getState(Limit limit) {
return states[limit.ordinal()];
}
/**
* Return the state of the limit property
*
* @param limit the limit
* @return the state of the limit property
*/
public String getStateLiteral(Limit limit) {
return states[limit.ordinal()].literal();
}
/**
* Get the index by property name
*
* @param propertyName property name
* @return the index of the property if found; return -1 if not
*/
public int getIndex(String propertyName) {
for (Limit limit : Limit.values()) {
// see JDK-8265248, accept both the URL and jdk.xml as prefix
if (limit.is(propertyName)) {
//internally, ordinal is used as index
return limit.ordinal();
}
}
//special property to return entity count info
if (ImplPropMap.ENTITYCOUNT.is(propertyName)) {
return indexEntityCountInfo;
}
return -1;
}
/**
* Check if there's no limit defined by the Security Manager
* @param limit
* @return
*/
public boolean isNoLimit(int limit) {
return limit==NO_LIMIT;
}
/**
* Check if the size (length or count) of the specified limit property is
* over the limit
*
* @param limit the type of the limit property
* @param entityName the name of the entity
* @param size the size (count or length) of the entity
* @return true if the size is over the limit, false otherwise
*/
public boolean isOverLimit(Limit limit, String entityName, int size,
XMLLimitAnalyzer limitAnalyzer) {
return isOverLimit(limit.ordinal(), entityName, size, limitAnalyzer);
}
/**
* Check if the value (length or count) of the specified limit property is
* over the limit
*
* @param index the index of the limit property
* @param entityName the name of the entity
* @param size the size (count or length) of the entity
* @return true if the size is over the limit, false otherwise
*/
public boolean isOverLimit(int index, String entityName, int size,
XMLLimitAnalyzer limitAnalyzer) {
if (values[index] == NO_LIMIT) {
return false;
}
if (size > values[index]) {
limitAnalyzer.addValue(index, entityName, size);
return true;
}
return false;
}
/**
* Check against cumulated value
*
* @param limit the type of the limit property
* @param size the size (count or length) of the entity
* @return true if the size is over the limit, false otherwise
*/
public boolean isOverLimit(Limit limit, XMLLimitAnalyzer limitAnalyzer) {
return isOverLimit(limit.ordinal(), limitAnalyzer);
}
public boolean isOverLimit(int index, XMLLimitAnalyzer limitAnalyzer) {
if (values[index] == NO_LIMIT) {
return false;
}
if (index == Limit.ELEMENT_ATTRIBUTE_LIMIT.ordinal() ||
index == Limit.ENTITY_EXPANSION_LIMIT.ordinal() ||
index == Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal() ||
index == Limit.ENTITY_REPLACEMENT_LIMIT.ordinal() ||
index == Limit.MAX_ELEMENT_DEPTH_LIMIT.ordinal() ||
index == Limit.MAX_NAME_LIMIT.ordinal()
) {
return (limitAnalyzer.getTotalValue(index) > values[index]);
} else {
return (limitAnalyzer.getValue(index) > values[index]);
}
}
public void debugPrint(XMLLimitAnalyzer limitAnalyzer) {
if (printEntityCountInfo.equals(JdkConstants.JDK_YES)) {
limitAnalyzer.debugPrint(this);
}
}
/**
* Indicate if a property is set explicitly
* @param index
* @return
*/
public boolean isSet(int index) {
return isSet[index];
}
public boolean printEntityCountInfo() {
return printEntityCountInfo.equals(JdkConstants.JDK_YES);
}
/**
* Read system properties, or the configuration file
*/
private void readSystemProperties() {
for (Limit limit : Limit.values()) {
// attempts to read both the current and old system propery
if (!getSystemProperty(limit, limit.systemProperty())
&& (!getOldSystemProperty(limit))) {
//if system property is not found, try the config file
getPropertyConfig(limit, limit.systemProperty());
}
}
}
// Array list to store printed warnings for each SAX parser used
private static final CopyOnWriteArrayList<String> printedWarnings = new CopyOnWriteArrayList<>();
/**
* Prints out warnings if a parser does not support the specified feature/property.
*
* @param parserClassName the name of the parser class
* @param propertyName the property name
* @param exception the exception thrown by the parser
*/
public static void printWarning(String parserClassName, String propertyName, SAXException exception) {
String key = parserClassName+":"+propertyName;
if (printedWarnings.addIfAbsent(key)) {
System.err.println( "Warning: "+parserClassName+": "+exception.getMessage());
}
}
/**
* Reads a system property, sets value and state if found.
*
* @param limit the limit property
* @param sysPropertyName the name of system property
*/
private boolean getSystemProperty(Limit limit, String sysPropertyName) {
try {
String value = SecuritySupport.getSystemProperty(sysPropertyName);
if (value != null && !value.equals("")) {
values[limit.ordinal()] = Integer.parseInt(value);
states[limit.ordinal()] = State.SYSTEMPROPERTY;
return true;
}
} catch (NumberFormatException e) {
//invalid setting
throw new NumberFormatException("Invalid setting for system property: " + limit.systemProperty());
}
return false;
}
/**
* Reads the legacy system property.
* @param limit a limit object
* @return true if found, false otherwise
*/
private boolean getOldSystemProperty(Limit limit) {
boolean found = false;
for (NameMap nameMap : NameMap.values()) {
String oldName = nameMap.getOldName(limit.systemProperty());
if (oldName != null) {
if (getSystemProperty(limit, oldName)) {
found = true;
break;
}
}
}
return found;
}
/**
* Reads a property from a configuration file, if any.
*
* @param limit the limit property
* @param sysPropertyName the name of system property
* @return
*/
private boolean getPropertyConfig(Limit limit, String sysPropertyName) {
try {
String value = SecuritySupport.readConfig(sysPropertyName);
if (value != null && !value.equals("")) {
values[limit.ordinal()] = Integer.parseInt(value);
states[limit.ordinal()] = State.JAXPDOTPROPERTIES;
return true;
}
} catch (NumberFormatException e) {
//invalid setting
throw new NumberFormatException("Invalid setting for system property: " + limit.systemProperty());
}
return false;
}
/**
* Convert a value set through setProperty to XMLSecurityManager.
* If the value is an instance of XMLSecurityManager, use it to override the default;
* If the value is an old SecurityManager, convert to the new XMLSecurityManager.
*
* @param value user specified security manager
* @param securityManager an instance of XMLSecurityManager
* @return an instance of the new security manager XMLSecurityManager
*/
public static XMLSecurityManager convert(Object value, XMLSecurityManager securityManager) {
if (value == null) {
if (securityManager == null) {
securityManager = new XMLSecurityManager(true);
}
return securityManager;
}
if (value instanceof XMLSecurityManager) {
return (XMLSecurityManager)value;
} else {
if (securityManager == null) {
securityManager = new XMLSecurityManager(true);
}
if (value instanceof SecurityManager) {
SecurityManager origSM = (SecurityManager)value;
securityManager.setLimit(Limit.MAX_OCCUR_NODE_LIMIT, State.APIPROPERTY, origSM.getMaxOccurNodeLimit());
securityManager.setLimit(Limit.ENTITY_EXPANSION_LIMIT, State.APIPROPERTY, origSM.getEntityExpansionLimit());
securityManager.setLimit(Limit.ELEMENT_ATTRIBUTE_LIMIT, State.APIPROPERTY, origSM.getElementAttrLimit());
}
return securityManager;
}
}
}

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2006, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2006, 2023, Oracle and/or its affiliates. All rights reserved.
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -39,7 +39,6 @@ import com.sun.org.apache.xerces.internal.util.XMLChar;
import com.sun.org.apache.xerces.internal.util.XMLLocatorWrapper; import com.sun.org.apache.xerces.internal.util.XMLLocatorWrapper;
import com.sun.org.apache.xerces.internal.util.XMLResourceIdentifierImpl; import com.sun.org.apache.xerces.internal.util.XMLResourceIdentifierImpl;
import com.sun.org.apache.xerces.internal.util.XMLSymbols; import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations; import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext; import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
@ -80,6 +79,7 @@ import javax.xml.catalog.CatalogResolver;
import javax.xml.transform.Source; import javax.xml.transform.Source;
import jdk.xml.internal.JdkConstants; import jdk.xml.internal.JdkConstants;
import jdk.xml.internal.JdkXmlUtils; import jdk.xml.internal.JdkXmlUtils;
import jdk.xml.internal.XMLSecurityManager;
import org.xml.sax.InputSource; import org.xml.sax.InputSource;
/** /**
@ -128,7 +128,7 @@ import org.xml.sax.InputSource;
* *
* *
* @see XIncludeNamespaceSupport * @see XIncludeNamespaceSupport
* @LastModified: July 2022 * @LastModified: July 2023
*/ */
public class XIncludeHandler public class XIncludeHandler
implements XMLComponent, XMLDocumentFilter, XMLDTDFilter { implements XMLComponent, XMLDocumentFilter, XMLDTDFilter {
@ -1731,6 +1731,11 @@ public class XIncludeHandler
fChildConfig.setProperty(SECURITY_MANAGER, fSecurityManager); fChildConfig.setProperty(SECURITY_MANAGER, fSecurityManager);
fChildConfig.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); fChildConfig.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
fChildConfig.setProperty(BUFFER_SIZE, fBufferSize); fChildConfig.setProperty(BUFFER_SIZE, fBufferSize);
fChildConfig.setProperty(CatalogFeatures.Feature.FILES.getPropertyName(), fCatalogFile);
fChildConfig.setProperty(CatalogFeatures.Feature.DEFER.getPropertyName(), fDefer);
fChildConfig.setProperty(CatalogFeatures.Feature.PREFER.getPropertyName(), fPrefer);
fChildConfig.setProperty(CatalogFeatures.Feature.RESOLVE.getPropertyName(), fResolve);
fChildConfig.setFeature(XMLConstants.USE_CATALOG, fUseCatalog);
// features must be copied to child configuration // features must be copied to child configuration
fNeedCopyFeatures = true; fNeedCopyFeatures = true;

View File

@ -1,6 +1,5 @@
/* /*
* reserved comment block * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT REMOVE OR ALTER!
*/ */
/* /*
* Licensed to the Apache Software Foundation (ASF) under one or more * Licensed to the Apache Software Foundation (ASF) under one or more
@ -21,9 +20,9 @@
package com.sun.org.apache.xerces.internal.xni.parser; package com.sun.org.apache.xerces.internal.xni.parser;
import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer;
import java.io.IOException;
import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.XNIException;
import java.io.IOException;
import jdk.xml.internal.XMLLimitAnalyzer;
/** /**
* This interface defines a generic DTD scanner. This interface * This interface defines a generic DTD scanner. This interface
@ -39,6 +38,7 @@ import com.sun.org.apache.xerces.internal.xni.XNIException;
* </blockquote> * </blockquote>
* *
* @author Andy Clark, IBM * @author Andy Clark, IBM
* @LastModified: July 2023
* *
*/ */
public interface XMLDTDScanner public interface XMLDTDScanner

View File

@ -37,7 +37,7 @@ import org.xml.sax.XMLReader;
* Creates XMLReader objects and caches them for re-use. * Creates XMLReader objects and caches them for re-use.
* This class follows the singleton pattern. * This class follows the singleton pattern.
* *
* @LastModified: Jan 2023 * @LastModified: July 2023
*/ */
public class XMLReaderManager { public class XMLReaderManager {
@ -123,8 +123,11 @@ public class XMLReaderManager {
(rw.overrideDefaultParser == m_overrideDefaultParser) && (rw.overrideDefaultParser == m_overrideDefaultParser) &&
( factory == null || reader.getClass().getName().equals(factory))) { ( factory == null || reader.getClass().getName().equals(factory))) {
m_inUse.put(reader, Boolean.TRUE); m_inUse.put(reader, Boolean.TRUE);
JdkXmlUtils.setReaderProperty(reader, _xmlSecurityManager, _useCatalog,
_catalogFeatures);
} else { } else {
reader = JdkXmlUtils.getXMLReader(m_overrideDefaultParser, _secureProcessing); reader = JdkXmlUtils.getXMLReader(_xmlSecurityManager, m_overrideDefaultParser,
_secureProcessing, _useCatalog, _catalogFeatures);
// Cache the XMLReader if this is the first time we've created // Cache the XMLReader if this is the first time we've created
// a reader for this thread. // a reader for this thread.
@ -141,42 +144,6 @@ public class XMLReaderManager {
JdkXmlUtils.setXMLReaderPropertyIfSupport(reader, JdkConstants.CDATA_CHUNK_SIZE, JdkXmlUtils.setXMLReaderPropertyIfSupport(reader, JdkConstants.CDATA_CHUNK_SIZE,
_cdataChunkSize, false); _cdataChunkSize, false);
String lastProperty = "";
try {
if (_xmlSecurityManager != null) {
for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) {
if (limit.isSupported(XMLSecurityManager.Processor.PARSER)) {
lastProperty = limit.apiProperty();
reader.setProperty(lastProperty,
_xmlSecurityManager.getLimitValueAsString(limit));
}
}
if (_xmlSecurityManager.printEntityCountInfo()) {
lastProperty = JdkConstants.JDK_DEBUG_LIMIT;
reader.setProperty(lastProperty, JdkConstants.JDK_YES);
}
}
} catch (SAXException se) {
XMLSecurityManager.printWarning(reader.getClass().getName(), lastProperty, se);
}
boolean supportCatalog = true;
try {
reader.setFeature(JdkXmlUtils.USE_CATALOG, _useCatalog);
}
catch (SAXNotRecognizedException | SAXNotSupportedException e) {
supportCatalog = false;
}
if (supportCatalog && _useCatalog && _catalogFeatures != null) {
try {
for (CatalogFeatures.Feature f : CatalogFeatures.Feature.values()) {
reader.setProperty(f.getPropertyName(), _catalogFeatures.get(f));
}
} catch (SAXNotRecognizedException e) {
//shall not happen for internal settings
}
}
return reader; return reader;
} }

View File

@ -287,7 +287,17 @@ public final class JdkConstants {
* System Property for the Configuration File * System Property for the Configuration File
* @since 21 * @since 21
*/ */
public static final String CONFIG_FILE = "java.xml.config.file"; public static final String CONFIG_FILE_PROPNAME = "java.xml.config.file";
/**
* System Property for the DTD property
*/
public static final String DTD_PROPNAME = "jdk.xml.dtd.support";
// DTD property values
public static final int ALLOW = 0;
public static final int IGNORE = 1;
public static final int DENY = 2;
/** /**
* Values for a feature * Values for a feature

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2016, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -50,6 +50,9 @@ import org.xml.sax.XMLReader;
* Constants for use across JAXP processors. * Constants for use across JAXP processors.
*/ */
public class JdkXmlUtils { public class JdkXmlUtils {
public static final boolean IS_WINDOWS = SecuritySupport.getSystemProperty("os.name").contains("Windows");
public static final String JAVA_HOME = SecuritySupport.getSystemProperty("java.home");
private static final String DOM_FACTORY_ID = "javax.xml.parsers.DocumentBuilderFactory"; private static final String DOM_FACTORY_ID = "javax.xml.parsers.DocumentBuilderFactory";
private static final String SAX_FACTORY_ID = "javax.xml.parsers.SAXParserFactory"; private static final String SAX_FACTORY_ID = "javax.xml.parsers.SAXParserFactory";
private static final String SAX_DRIVER = "org.xml.sax.driver"; private static final String SAX_DRIVER = "org.xml.sax.driver";
@ -61,7 +64,9 @@ public class JdkXmlUtils {
Constants.SAX_FEATURE_PREFIX + Constants.NAMESPACES_FEATURE; Constants.SAX_FEATURE_PREFIX + Constants.NAMESPACES_FEATURE;
public static final String NAMESPACE_PREFIXES_FEATURE = public static final String NAMESPACE_PREFIXES_FEATURE =
Constants.SAX_FEATURE_PREFIX + Constants.NAMESPACE_PREFIXES_FEATURE; Constants.SAX_FEATURE_PREFIX + Constants.NAMESPACE_PREFIXES_FEATURE;
/** Property identifier: security manager. */
private static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
/** /**
* Catalog features * Catalog features
@ -73,7 +78,10 @@ public class JdkXmlUtils {
public final static String CATALOG_PREFER = CatalogFeatures.Feature.PREFER.getPropertyName(); public final static String CATALOG_PREFER = CatalogFeatures.Feature.PREFER.getPropertyName();
public final static String CATALOG_RESOLVE = CatalogFeatures.Feature.RESOLVE.getPropertyName(); public final static String CATALOG_RESOLVE = CatalogFeatures.Feature.RESOLVE.getPropertyName();
//values for the Resolve property
public static final String RESOLVE_STRICT = "strict";
public static final String RESOLVE_CONTINUE = "continue";
public static final String RESOLVE_IGNORE = "ignore";
/** /**
* Default value of USE_CATALOG. This will read the System property * Default value of USE_CATALOG. This will read the System property
@ -162,21 +170,30 @@ public class JdkXmlUtils {
CatalogFeatures.Builder builder = CatalogFeatures.builder(); CatalogFeatures.Builder builder = CatalogFeatures.builder();
if (file != null) { if (file != null) {
builder = builder.with(CatalogFeatures.Feature.FILES, file); builder = builder.with(Feature.FILES, file);
} }
if (prefer != null) { if (prefer != null) {
builder = builder.with(CatalogFeatures.Feature.PREFER, prefer); builder = builder.with(Feature.PREFER, prefer);
} }
if (defer != null) { if (defer != null) {
builder = builder.with(CatalogFeatures.Feature.DEFER, defer); builder = builder.with(Feature.DEFER, defer);
} }
if (resolve != null) { if (resolve != null) {
builder = builder.with(CatalogFeatures.Feature.RESOLVE, resolve); builder = builder.with(Feature.RESOLVE, resolve);
} }
return builder.build(); return builder.build();
} }
/**
* Checks whether the RESOLVE feature in the CatalogFeatures is continue.
* @param cf the specified CatalogFeatures
* @return true if the RESOLVE feature is
*/
public static boolean isResolveContinue(CatalogFeatures cf) {
return (cf == null || cf.get(Feature.RESOLVE).equals(RESOLVE_CONTINUE));
}
/** /**
* Passing on the CatalogFeatures settings from one Xerces configuration * Passing on the CatalogFeatures settings from one Xerces configuration
* object to another. * object to another.
@ -237,17 +254,22 @@ public class JdkXmlUtils {
* SAXParserFactory or XMLReaderFactory, otherwise use the system-default * SAXParserFactory or XMLReaderFactory, otherwise use the system-default
* SAXParserFactory to locate an XMLReader. * SAXParserFactory to locate an XMLReader.
* *
* Note: parameter useXMLReaderFactory was removed. The method instead checks
* the SAX_DRIVER property for whether the XMLReader should be created using
* XMLReaderFactory for compatibility. (see JDK-6490921).
*
* @param sm the XMLSecurityManager
* @param overrideDefaultParser a flag indicating whether a 3rd party's * @param overrideDefaultParser a flag indicating whether a 3rd party's
* parser implementation may be used to override the system-default one * parser implementation may be used to override the system-default one
* @param secureProcessing a flag indicating whether secure processing is * @param secureProcessing a flag indicating whether secure processing is
* requested * requested
* @param useXMLReaderFactory a flag indicating when the XMLReader should be * @param useCatalog a flag indicating whether Catalog is enabled
* created using XMLReaderFactory. True is a compatibility mode that honors * @param catalogFeatures the CatalogFeatures
* the property org.xml.sax.driver (see JDK-6490921).
* @return an XMLReader instance * @return an XMLReader instance
*/ */
public static XMLReader getXMLReader(boolean overrideDefaultParser, public static XMLReader getXMLReader(XMLSecurityManager sm,
boolean secureProcessing) { boolean overrideDefaultParser, boolean secureProcessing,
boolean useCatalog, CatalogFeatures catalogFeatures) {
SAXParserFactory saxFactory; SAXParserFactory saxFactory;
XMLReader reader = null; XMLReader reader = null;
String spSAXDriver = SecuritySupport.getSystemProperty(SAX_DRIVER); String spSAXDriver = SecuritySupport.getSystemProperty(SAX_DRIVER);
@ -272,20 +294,63 @@ public class JdkXmlUtils {
} catch (SAXException se) { } catch (SAXException se) {
// older version of a parser // older version of a parser
} }
return reader; } else {
} // use the system-default
saxFactory = defaultSAXFactory;
// use the system-default try {
saxFactory = defaultSAXFactory;
try {
reader = saxFactory.newSAXParser().getXMLReader(); reader = saxFactory.newSAXParser().getXMLReader();
} catch (ParserConfigurationException | SAXException ex) { } catch (ParserConfigurationException | SAXException ex) {
// shall not happen with the system-default reader // shall not happen with the system-default reader
}
} }
setReaderProperty(reader, sm, useCatalog, catalogFeatures);
return reader; return reader;
} }
/**
* Sets properties on the reader, including XMLSecurityManager and Catalog
* features.
*
* @param reader the XMLReader
* @param sm the XMLSecurityManager
* @param useCatalog the USE_CATALOG property
* @param catalogFeatures the Catalog features
*/
public static void setReaderProperty(XMLReader reader, XMLSecurityManager sm,
boolean useCatalog, CatalogFeatures catalogFeatures) {
if (reader != null) {
try {
reader.setProperty(SECURITY_MANAGER, sm);
} catch (SAXException ex) {
// internal setting, shouldn't happen
}
boolean supportCatalog = true;
try {
reader.setFeature(JdkXmlUtils.USE_CATALOG, useCatalog);
}
catch (SAXException e) {
supportCatalog = false;
}
if (catalogFeatures != null) {
CatalogFeatures cf = catalogFeatures;
if (supportCatalog && useCatalog) {
try {
for (CatalogFeatures.Feature f : CatalogFeatures.Feature.values()) {
reader.setProperty(f.getPropertyName(), cf.get(f));
}
} catch (SAXException e) {
//shall not happen for internal settings
}
}
}
}
}
/** /**
* Creates a system-default DOM Document. * Creates a system-default DOM Document.
* *
@ -353,10 +418,29 @@ public class JdkXmlUtils {
return factory; return factory;
} }
public static SAXTransformerFactory getSAXTransformFactory(boolean overrideDefaultParser) { /**
* Returns an instance of SAXTransformerFactory with the current XMLSecurityManager
* and the setting of the OVERRIDE_PARSER property.
* @param sm the XMLSecurityManager
* @param overrideDefaultParser the setting of the OVERRIDE_PARSER property
* @return an instance of SAXTransformerFactory
*/
public static SAXTransformerFactory getSAXTransformFactory(XMLSecurityManager sm,
boolean overrideDefaultParser) {
SAXTransformerFactory tf = overrideDefaultParser SAXTransformerFactory tf = overrideDefaultParser
? (SAXTransformerFactory) SAXTransformerFactory.newInstance() ? (SAXTransformerFactory) SAXTransformerFactory.newInstance()
: (SAXTransformerFactory) new TransformerFactoryImpl(); : (SAXTransformerFactory) new TransformerFactoryImpl();
if (sm != null) {
for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) {
if (sm.isSet(limit)){
tf.setAttribute(limit.apiProperty(), sm.getLimitValueAsString(limit));
}
}
if (sm.printEntityCountInfo()) {
tf.setAttribute(JdkConstants.JDK_DEBUG_LIMIT, "yes");
}
}
try { try {
tf.setFeature(OVERRIDE_PARSER, overrideDefaultParser); tf.setFeature(OVERRIDE_PARSER, overrideDefaultParser);
} catch (TransformerConfigurationException ex) { } catch (TransformerConfigurationException ex) {

View File

@ -212,7 +212,7 @@ public class SecuritySupport {
} }
// load the custom configure on top of the default if any // load the custom configure on top of the default if any
String configFile = SecuritySupport.getSystemProperty(JdkConstants.CONFIG_FILE); String configFile = SecuritySupport.getSystemProperty(JdkConstants.CONFIG_FILE_PROPNAME);
if (configFile != null) { if (configFile != null) {
loadProperties(configFile); loadProperties(configFile);
} }

View File

@ -26,7 +26,13 @@ package jdk.xml.internal;
import com.sun.org.apache.xerces.internal.util.SecurityManager; import com.sun.org.apache.xerces.internal.util.SecurityManager;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.CopyOnWriteArrayList; import java.util.concurrent.CopyOnWriteArrayList;
import java.util.stream.Collectors;
import javax.xml.stream.XMLInputFactory;
import jdk.xml.internal.JdkProperty.State; import jdk.xml.internal.JdkProperty.State;
import jdk.xml.internal.JdkProperty.ImplPropMap; import jdk.xml.internal.JdkProperty.ImplPropMap;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
@ -37,52 +43,93 @@ import org.xml.sax.SAXException;
*/ */
public final class XMLSecurityManager { public final class XMLSecurityManager {
public static final String DTD_KEY = JdkConstants.DTD_PROPNAME;
// Xerces Feature
public static final String DISALLOW_DTD = "http://apache.org/xml/features/disallow-doctype-decl";
public static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
// StAX feature
public static final String ZEPHYR_PROPERTY_PREFIX = "http://java.sun.com/xml/stream/properties/" ;
public static final String IGNORE_EXTERNAL_DTD = ZEPHYR_PROPERTY_PREFIX + "ignore-external-dtd";
// Valid values for the DTD property
public static final String DTD_ALLOW = "allow";
public static final String DTD_IGNORE = "ignore";
public static final String DTD_DENY = "deny";
static final Map<String, Integer> DTD_MAP;
// Source Level JDK 8
static {
Map<String, Integer> map = new HashMap<>();
map.put(DTD_ALLOW, 0);
map.put(DTD_IGNORE, 1);
map.put(DTD_DENY, 2);
DTD_MAP = Collections.unmodifiableMap(map);
}
// Value converter for properties of type Boolean
private static final BooleanMapper BOOLMAPPER = new BooleanMapper();
// Value converter for properties of type Integer
private static final IntegerMapper INTMAPPER = new IntegerMapper();
// DTD value map
private static final StringMapper DTDMAPPER = new StringMapper(DTD_MAP);
/** /**
* Limits managed by the security manager * Limits managed by the security manager
*/ */
@SuppressWarnings("deprecation") @SuppressWarnings("deprecation")
public static enum Limit { public static enum Limit {
ENTITY_EXPANSION_LIMIT("EntityExpansionLimit", JdkConstants.JDK_ENTITY_EXPANSION_LIMIT, ENTITY_EXPANSION_LIMIT("EntityExpansionLimit", JdkConstants.JDK_ENTITY_EXPANSION_LIMIT,
JdkConstants.SP_ENTITY_EXPANSION_LIMIT, 0, 64000, Processor.PARSER), JdkConstants.SP_ENTITY_EXPANSION_LIMIT, JdkConstants.ENTITY_EXPANSION_LIMIT, 0, 64000, Processor.PARSER, INTMAPPER),
MAX_OCCUR_NODE_LIMIT("MaxOccurLimit", JdkConstants.JDK_MAX_OCCUR_LIMIT, MAX_OCCUR_NODE_LIMIT("MaxOccurLimit", JdkConstants.JDK_MAX_OCCUR_LIMIT,
JdkConstants.SP_MAX_OCCUR_LIMIT, 0, 5000, Processor.PARSER), JdkConstants.SP_MAX_OCCUR_LIMIT, JdkConstants.MAX_OCCUR_LIMIT, 0, 5000, Processor.PARSER, INTMAPPER),
ELEMENT_ATTRIBUTE_LIMIT("ElementAttributeLimit", JdkConstants.JDK_ELEMENT_ATTRIBUTE_LIMIT, ELEMENT_ATTRIBUTE_LIMIT("ElementAttributeLimit", JdkConstants.JDK_ELEMENT_ATTRIBUTE_LIMIT,
JdkConstants.SP_ELEMENT_ATTRIBUTE_LIMIT, 0, 10000, Processor.PARSER), JdkConstants.SP_ELEMENT_ATTRIBUTE_LIMIT, JdkConstants.ELEMENT_ATTRIBUTE_LIMIT, 0, 10000, Processor.PARSER, INTMAPPER),
TOTAL_ENTITY_SIZE_LIMIT("TotalEntitySizeLimit", JdkConstants.JDK_TOTAL_ENTITY_SIZE_LIMIT, TOTAL_ENTITY_SIZE_LIMIT("TotalEntitySizeLimit", JdkConstants.JDK_TOTAL_ENTITY_SIZE_LIMIT,
JdkConstants.SP_TOTAL_ENTITY_SIZE_LIMIT, 0, 50000000, Processor.PARSER), JdkConstants.SP_TOTAL_ENTITY_SIZE_LIMIT, null, 0, 50000000, Processor.PARSER, INTMAPPER),
GENERAL_ENTITY_SIZE_LIMIT("MaxEntitySizeLimit", JdkConstants.JDK_GENERAL_ENTITY_SIZE_LIMIT, GENERAL_ENTITY_SIZE_LIMIT("MaxEntitySizeLimit", JdkConstants.JDK_GENERAL_ENTITY_SIZE_LIMIT,
JdkConstants.SP_GENERAL_ENTITY_SIZE_LIMIT, 0, 0, Processor.PARSER), JdkConstants.SP_GENERAL_ENTITY_SIZE_LIMIT, null, 0, 0, Processor.PARSER, INTMAPPER),
PARAMETER_ENTITY_SIZE_LIMIT("MaxEntitySizeLimit", JdkConstants.JDK_PARAMETER_ENTITY_SIZE_LIMIT, PARAMETER_ENTITY_SIZE_LIMIT("MaxEntitySizeLimit", JdkConstants.JDK_PARAMETER_ENTITY_SIZE_LIMIT,
JdkConstants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000, Processor.PARSER), JdkConstants.SP_PARAMETER_ENTITY_SIZE_LIMIT, null, 0, 1000000, Processor.PARSER, INTMAPPER),
MAX_ELEMENT_DEPTH_LIMIT("MaxElementDepthLimit", JdkConstants.JDK_MAX_ELEMENT_DEPTH, MAX_ELEMENT_DEPTH_LIMIT("MaxElementDepthLimit", JdkConstants.JDK_MAX_ELEMENT_DEPTH,
JdkConstants.SP_MAX_ELEMENT_DEPTH, 0, 0, Processor.PARSER), JdkConstants.SP_MAX_ELEMENT_DEPTH, null, 0, 0, Processor.PARSER, INTMAPPER),
MAX_NAME_LIMIT("MaxXMLNameLimit", JdkConstants.JDK_XML_NAME_LIMIT, MAX_NAME_LIMIT("MaxXMLNameLimit", JdkConstants.JDK_XML_NAME_LIMIT,
JdkConstants.SP_XML_NAME_LIMIT, 1000, 1000, Processor.PARSER), JdkConstants.SP_XML_NAME_LIMIT, null, 1000, 1000, Processor.PARSER, INTMAPPER),
ENTITY_REPLACEMENT_LIMIT("EntityReplacementLimit", JdkConstants.JDK_ENTITY_REPLACEMENT_LIMIT, ENTITY_REPLACEMENT_LIMIT("EntityReplacementLimit", JdkConstants.JDK_ENTITY_REPLACEMENT_LIMIT,
JdkConstants.SP_ENTITY_REPLACEMENT_LIMIT, 0, 3000000, Processor.PARSER), JdkConstants.SP_ENTITY_REPLACEMENT_LIMIT, null, 0, 3000000, Processor.PARSER, INTMAPPER),
XPATH_GROUP_LIMIT("XPathGroupLimit", JdkConstants.XPATH_GROUP_LIMIT, XPATH_GROUP_LIMIT("XPathGroupLimit", JdkConstants.XPATH_GROUP_LIMIT,
JdkConstants.XPATH_GROUP_LIMIT, 10, 10, Processor.XPATH), JdkConstants.XPATH_GROUP_LIMIT, null, 10, 10, Processor.XPATH, INTMAPPER),
XPATH_OP_LIMIT("XPathExprOpLimit", JdkConstants.XPATH_OP_LIMIT, XPATH_OP_LIMIT("XPathExprOpLimit", JdkConstants.XPATH_OP_LIMIT,
JdkConstants.XPATH_OP_LIMIT, 100, 100, Processor.XPATH), JdkConstants.XPATH_OP_LIMIT, null, 100, 100, Processor.XPATH, INTMAPPER),
XPATH_TOTALOP_LIMIT("XPathTotalOpLimit", JdkConstants.XPATH_TOTALOP_LIMIT, XPATH_TOTALOP_LIMIT("XPathTotalOpLimit", JdkConstants.XPATH_TOTALOP_LIMIT,
JdkConstants.XPATH_TOTALOP_LIMIT, 10000, 10000, Processor.XPATH) JdkConstants.XPATH_TOTALOP_LIMIT, null, 10000, 10000, Processor.XPATH, INTMAPPER),
DTD("DTDProperty", JdkConstants.DTD_PROPNAME, JdkConstants.DTD_PROPNAME, null,
JdkConstants.ALLOW, JdkConstants.ALLOW, Processor.PARSER, DTDMAPPER),
XERCES_DISALLOW_DTD("disallowDTD", DISALLOW_DTD, null, null, 0, 0, Processor.PARSER, BOOLMAPPER),
STAX_SUPPORT_DTD("supportDTD", XMLInputFactory.SUPPORT_DTD, null, null, 1, 1, Processor.PARSER, BOOLMAPPER),
; ;
final String key; final String key;
final String apiProperty; final String apiProperty;
final String systemProperty; final String systemProperty;
final String spOld;
final int defaultValue; final int defaultValue;
final int secureValue; final int secureValue;
final Processor processor; final Processor processor;
final ValueMapper mapper;
Limit(String key, String apiProperty, String systemProperty, int value, Limit(String key, String apiProperty, String systemProperty, String spOld, int value,
int secureValue, Processor processor) { int secureValue, Processor processor, ValueMapper mapper) {
this.key = key; this.key = key;
this.apiProperty = apiProperty; this.apiProperty = apiProperty;
this.systemProperty = systemProperty; this.systemProperty = systemProperty;
this.spOld = spOld;
this.defaultValue = value; this.defaultValue = value;
this.secureValue = secureValue; this.secureValue = secureValue;
this.processor = processor; this.processor = processor;
this.mapper = mapper;
} }
/** /**
@ -129,6 +176,11 @@ public final class XMLSecurityManager {
return systemProperty; return systemProperty;
} }
// returns legacy System Property
public String spOld() {
return spOld;
}
public int defaultValue() { public int defaultValue() {
return defaultValue; return defaultValue;
} }
@ -140,29 +192,9 @@ public final class XMLSecurityManager {
int secureValue() { int secureValue() {
return secureValue; return secureValue;
} }
}
/** public ValueMapper mapper() {
* Map old property names with the new ones return mapper;
*/
public static enum NameMap {
ENTITY_EXPANSION_LIMIT(JdkConstants.SP_ENTITY_EXPANSION_LIMIT, JdkConstants.ENTITY_EXPANSION_LIMIT),
MAX_OCCUR_NODE_LIMIT(JdkConstants.SP_MAX_OCCUR_LIMIT, JdkConstants.MAX_OCCUR_LIMIT),
ELEMENT_ATTRIBUTE_LIMIT(JdkConstants.SP_ELEMENT_ATTRIBUTE_LIMIT, JdkConstants.ELEMENT_ATTRIBUTE_LIMIT);
final String newName;
final String oldName;
NameMap(String newName, String oldName) {
this.newName = newName;
this.oldName = oldName;
}
String getOldName(String newName) {
if (newName.equals(this.newName)) {
return oldName;
}
return null;
} }
} }
@ -170,6 +202,7 @@ public final class XMLSecurityManager {
* Supported processors * Supported processors
*/ */
public static enum Processor { public static enum Processor {
ANY,
PARSER, PARSER,
XPATH, XPATH,
} }
@ -230,7 +263,8 @@ public final class XMLSecurityManager {
states[limit.ordinal()] = State.DEFAULT; states[limit.ordinal()] = State.DEFAULT;
} }
} }
//read system properties or jaxp.properties
//read system properties or the config file (jaxp.properties by default)
readSystemProperties(); readSystemProperties();
} }
@ -284,13 +318,20 @@ public final class XMLSecurityManager {
* if otherwise. * if otherwise.
*/ */
public boolean setLimit(String propertyName, State state, Object value) { public boolean setLimit(String propertyName, State state, Object value) {
int index = getIndex(propertyName); // special property to return entity count info
if (index > -1) { if (ImplPropMap.ENTITYCOUNT.is(propertyName)) {
printEntityCountInfo = (String)value;
return true;
}
Limit limit = getEnumValue(propertyName);
if (limit != null) {
State pState = state; State pState = state;
if (index != indexEntityCountInfo && state == State.APIPROPERTY) { if (state == State.APIPROPERTY) {
pState = (Limit.values()[index]).getState(propertyName); // ordinal is the index of the value array
pState = (Limit.values()[limit.ordinal()]).getState(propertyName);
} }
setLimit(index, pState, value); setLimit(limit, pState, value);
return true; return true;
} }
return false; return false;
@ -308,27 +349,19 @@ public final class XMLSecurityManager {
} }
/** /**
* Set the value of a property by its index * Sets the value of a property by its enum name
* *
* @param index the index of the property * @param limit the limit
* @param state the state of the property * @param state the state of the property
* @param value the value of the property * @param value the value of the property
*/ */
public void setLimit(int index, State state, Object value) { public void setLimit(Limit limit, State state, Object value) {
if (index == indexEntityCountInfo) { int intValue = limit.mapper().toInt(value);
printEntityCountInfo = (String)value; if (intValue < 0) {
} else { intValue = 0;
int temp;
if (value instanceof Integer) {
temp = (Integer)value;
} else {
temp = Integer.parseInt((String) value);
if (temp < 0) {
temp = 0;
}
}
setLimit(index, state, temp);
} }
setLimit(limit.ordinal(), state, intValue);
} }
/** /**
@ -384,7 +417,7 @@ public final class XMLSecurityManager {
* @return value of a property * @return value of a property
*/ */
public String getLimitValueAsString(Limit limit) { public String getLimitValueAsString(Limit limit) {
return Integer.toString(values[limit.ordinal()]); return limit.mapper().toString(values[limit.ordinal()]);
} }
/** /**
@ -398,7 +431,8 @@ public final class XMLSecurityManager {
return printEntityCountInfo; return printEntityCountInfo;
} }
return Integer.toString(values[index]); Limit limit = Limit.values()[index];
return limit.mapper().toString(values[index]);
} }
/** /**
@ -421,6 +455,22 @@ public final class XMLSecurityManager {
return states[limit.ordinal()].literal(); return states[limit.ordinal()].literal();
} }
/**
* Returns the enum value by its property name.
*
* @param propertyName property name
* @return the enum value if found; null otherwise
*/
public Limit getEnumValue(String propertyName) {
for (Limit limit : Limit.values()) {
if (limit.is(propertyName)) {
return limit;
}
}
return null;
}
/** /**
* Get the index by property name * Get the index by property name
* *
@ -523,11 +573,35 @@ public final class XMLSecurityManager {
/** /**
* Indicate if a property is set explicitly * Indicate if a property is set explicitly
* @param index * @param limit the limit
* @return * @return true if the limit is set, false otherwise
*/ */
public boolean isSet(int index) { public boolean isSet(Limit limit) {
return isSet[index]; return isSet[limit.ordinal()];
}
/**
* Checks whether the specified {@link Limit} is set and the value is
* as specified.
*
* @param limit the {@link Limit}
* @param value the value
* @return true if the {@code Limit} is set and the values match
*/
public boolean is(Limit limit, int value) {
return getLimit(limit) == value;
}
/**
* Checks whether the specified {@link Limit} is set and the value is
* 1 (true for a property of boolean type).
*
* @param limit the {@link Limit}
*
* @return true if the {@code Limit} is set and the value is 1
*/
public boolean is(Limit limit) {
return getLimit(limit) == 1;
} }
public boolean printEntityCountInfo() { public boolean printEntityCountInfo() {
@ -537,13 +611,18 @@ public final class XMLSecurityManager {
/** /**
* Read system properties, or the configuration file * Read system properties, or the configuration file
*/ */
private void readSystemProperties() { public void readSystemProperties() {
for (Limit limit : Limit.values()) { for (Limit limit : Limit.values()) {
// attempts to read both the current and old system propery if (State.SYSTEMPROPERTY.compareTo(states[limit.ordinal()]) >= 0 &&
if (!getSystemProperty(limit, limit.systemProperty()) limit.systemProperty() != null) {
&& (!getOldSystemProperty(limit))) { // attempts to read both the current and old system propery
//if system property is not found, try the config file if (!getSystemProperty(limit, limit.systemProperty())
getPropertyConfig(limit, limit.systemProperty()); && (!getSystemProperty(limit, limit.spOld()))) {
//if system property is not found, try the config file
if (State.JAXPDOTPROPERTIES.compareTo(states[limit.ordinal()]) >= 0) {
getPropertyConfig(limit, limit.systemProperty());
}
}
} }
} }
} }
@ -572,11 +651,12 @@ public final class XMLSecurityManager {
* @param sysPropertyName the name of system property * @param sysPropertyName the name of system property
*/ */
private boolean getSystemProperty(Limit limit, String sysPropertyName) { private boolean getSystemProperty(Limit limit, String sysPropertyName) {
if (sysPropertyName == null) return false;
try { try {
String value = SecuritySupport.getSystemProperty(sysPropertyName); String value = SecuritySupport.getSystemProperty(sysPropertyName);
if (value != null && !value.equals("")) { if (value != null && !value.equals("")) {
values[limit.ordinal()] = Integer.parseInt(value); setLimit(limit, State.SYSTEMPROPERTY, value);
states[limit.ordinal()] = State.SYSTEMPROPERTY;
return true; return true;
} }
} catch (NumberFormatException e) { } catch (NumberFormatException e) {
@ -586,25 +666,6 @@ public final class XMLSecurityManager {
return false; return false;
} }
/**
* Reads the legacy system property.
* @param limit a limit object
* @return true if found, false otherwise
*/
private boolean getOldSystemProperty(Limit limit) {
boolean found = false;
for (NameMap nameMap : NameMap.values()) {
String oldName = nameMap.getOldName(limit.systemProperty());
if (oldName != null) {
if (getSystemProperty(limit, oldName)) {
found = true;
break;
}
}
}
return found;
}
/** /**
* Reads a property from a configuration file, if any. * Reads a property from a configuration file, if any.
* *
@ -616,8 +677,7 @@ public final class XMLSecurityManager {
try { try {
String value = SecuritySupport.readConfig(sysPropertyName); String value = SecuritySupport.readConfig(sysPropertyName);
if (value != null && !value.equals("")) { if (value != null && !value.equals("")) {
values[limit.ordinal()] = Integer.parseInt(value); setLimit(limit, State.JAXPDOTPROPERTIES, value);
states[limit.ordinal()] = State.JAXPDOTPROPERTIES;
return true; return true;
} }
} catch (NumberFormatException e) { } catch (NumberFormatException e) {
@ -658,4 +718,161 @@ public final class XMLSecurityManager {
return securityManager; return securityManager;
} }
} }
/**
* Represents a mapper for properties of type String. The input is expected
* to be a String or Object. If there is a map, the mappings are between the
* keys and values within the map.
*/
public static class StringMapper extends ValueMapper {
private final Map<String, Integer> map;
private final Map<Integer, String> reverseMap;
public StringMapper(Map<String, Integer> map) {
this.map = map;
if (map != null) {
reverseMap = map.entrySet().stream()
.collect(Collectors.toMap(Map.Entry::getValue, Map.Entry::getKey));
} else {
reverseMap = null;
}
}
/**
* Finds the mapping int value with the specified property value. This
* method will try to convert the provided value to an integer if no
* mapping is found.
* @param value the property value
* @return the mapping int value if found, null otherwise
*/
@Override
public int toInt(Object value) {
Objects.requireNonNull(value);
Integer iVal;
if (map != null) {
iVal = map.get(((String)value).toLowerCase());
iVal = (iVal == null) ? 0 : iVal;
} else {
try {
iVal = (int)Double.parseDouble((String)value);
} catch (NumberFormatException e) {
// Note: this is the currently expected behavior. It may be
// appropriate for the setter to catch it.
throw new NumberFormatException("Invalid setting " + value
+ " for a property of Integer type.");
}
}
return iVal;
}
@Override
public String toObject(int value) {
if (reverseMap != null) {
return reverseMap.get(value);
}
return Integer.toString(value);
}
@Override
public String toString(int value) {
return toObject(value);
}
}
/**
* Represents a mapper for properties of type Integer. The input is expected
* to be either an Integer or String.
*/
public static class IntegerMapper extends ValueMapper {
@Override
public int toInt(Object value) {
Objects.requireNonNull(value);
Integer iVal;
if (value instanceof Integer) {
iVal = (Integer)value;
} else {
try {
iVal = Integer.parseInt((String)value);
} catch (NumberFormatException e) {
// Note: this is the currently expected behavior. It may be
// appropriate for the setter to catch it.
throw new NumberFormatException("Invalid setting " + value
+ " for a property of Integer type.");
}
}
return iVal;
}
@Override
public Integer toObject(int value) {
return value;
}
@Override
public String toString(int value) {
return Integer.toString(value);
}
}
/**
* Represents a mapper for properties of type Boolean. The input is expected
* to be either a Boolean or String.
*/
public static class BooleanMapper extends ValueMapper {
@Override
public int toInt(Object value) {
Objects.requireNonNull(value);
Boolean bVal;
if (value instanceof Boolean) {
bVal = (Boolean)value;
} else {
bVal = ((String)value).equalsIgnoreCase("true");
}
return bVal ? 1 : 0;
}
@Override
public Boolean toObject(int value) {
return value != 0;
}
@Override
public String toString(int value) {
return Boolean.toString(value != 0);
}
}
/**
* Represents a mapper of property values between int and other types, such as
* Boolean, String, and Object.
*/
public static abstract class ValueMapper {
// converts to an int value from that of the specified type
public abstract int toInt(Object value);
// converts the int value back to the original type
public abstract Object toObject(int value);
// converts the int value of a property to a String representation
public abstract String toString(int value);
}
/**
* Represents a mapper of property values between int and other types, such as
* Boolean, String, and Object.
*
* @param <T> the value type to be mapped with an int value
*/
public abstract class ValueMapper1<T> {
// converts to an int value from that of the specified type
public abstract int toInt(T value);
// converts the int value back to the original type
public abstract T toObject(int value);
// converts the int value of a property to a String representation
public abstract String toString(int value);
}
} }

View File

@ -752,7 +752,7 @@
* <td id="ExtFunc">{@systemProperty jdk.xml.enableExtensionFunctions}</td> * <td id="ExtFunc">{@systemProperty jdk.xml.enableExtensionFunctions}</td>
* <td>Determines if XSLT and XPath extension functions are to be allowed. * <td>Determines if XSLT and XPath extension functions are to be allowed.
* </td> * </td>
* <td style="text-align:center" rowspan="3">yes</td> * <td style="text-align:center" rowspan="4">yes</td>
* <td style="text-align:center" rowspan="3">Boolean</td> * <td style="text-align:center" rowspan="3">Boolean</td>
* <td> * <td>
* true or false. True indicates that extension functions are allowed; False otherwise. * true or false. True indicates that extension functions are allowed; False otherwise.
@ -808,6 +808,40 @@
* <td style="text-align:center"><a href="#Processor">Method 2</a></td> * <td style="text-align:center"><a href="#Processor">Method 2</a></td>
* <td style="text-align:center">9</td> * <td style="text-align:center">9</td>
* </tr> * </tr>
* <tr>
* <td id="DTD">{@systemProperty jdk.xml.dtd.support}<a href="#Note7">[7]</a></td>
* <td>Instructs the parser to handle DTDs in accordance with the setting of this property.
* The options are:
* <ul>
* <li><p>
* {@code allow} -- indicates that the parser shall continue processing DTDs;
* </li>
* <li><p>
* {@code ignore} -- indicates that the parser shall skip DTDs;
* </li>
* <li><p>
* {@code deny} -- indicates that the parser shall reject DTDs as an error.
* The parser shall report the error in accordance with its relevant specification.
* </li>
* </ul>
* </td>
* <td style="text-align:center">String</td>
* <td>
* {@code allow, ignore, and deny}. Values are case-insensitive.
* </td>
* <td style="text-align:center">allow</td>
* <td style="text-align:center">No</td>
* <td style="text-align:center">Yes</td>
* <td style="text-align:center">
* <a href="#DOM">DOM</a><br>
* <a href="#SAX">SAX</a><br>
* <a href="#StAX">StAX</a><br>
* <a href="#Validation">Validation</a><br>
* <a href="#Transform">Transform</a>
* </td>
* <td style="text-align:center"><a href="#Processor">Method 1</a></td>
* <td style="text-align:center">22</td>
* </tr>
* </tbody> * </tbody>
* </table> * </table>
* <p id="Note1"> * <p id="Note1">
@ -838,6 +872,19 @@
* are as shown in the table <a href="#Processor">Processors</a>. * are as shown in the table <a href="#Processor">Processors</a>.
* <p id="Note6"> * <p id="Note6">
* <b>[6]</b> Indicates the initial release the property is introduced. * <b>[6]</b> Indicates the initial release the property is introduced.
* <p id="Note7">
* <b>[7]</b> The {@code jdk.xml.dtd.support} property complements the two existing
* DTD-related properties, {@code disallow-doctype-decl}(fully qualified name:
* {@code http://apache.org/xml/features/disallow-doctype-decl}) and supportDTD
* ({@code javax.xml.stream.supportDTD}), by providing a uniformed support for the
* processors listed and a system property that can be used in the
* <a href="#Conf_CF">JAXP Configuration File</a>. When {@code disallow-doctype-decl} is
* set on the DOM or SAX factory, or supportDTD on StAX factory, the {@code jdk.xml.dtd.support}
* property will have no effect.
* <p>
* These three properties control whether DTDs as a whole shall be processed. When
* they are set to deny or ignore, other properties that regulate a part or an
* aspect of DTD shall have no effect.
* *
* <h3 id="IN_Legacy">Legacy Property Names (deprecated)</h3> * <h3 id="IN_Legacy">Legacy Property Names (deprecated)</h3>
* JDK releases prior to JDK 17 support the use of URI style prefix for properties. * JDK releases prior to JDK 17 support the use of URI style prefix for properties.

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2021, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -22,7 +22,6 @@
*/ */
package common; package common;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit;
import java.util.EnumSet; import java.util.EnumSet;
import java.util.Set; import java.util.Set;
import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.DocumentBuilderFactory;
@ -34,6 +33,11 @@ import javax.xml.transform.TransformerFactory;
import javax.xml.validation.SchemaFactory; import javax.xml.validation.SchemaFactory;
import javax.xml.xpath.XPathFactory; import javax.xml.xpath.XPathFactory;
import jdk.xml.internal.JdkProperty.ImplPropMap; import jdk.xml.internal.JdkProperty.ImplPropMap;
import jdk.xml.internal.XMLSecurityManager.BooleanMapper;
import jdk.xml.internal.XMLSecurityManager.IntegerMapper;
import jdk.xml.internal.XMLSecurityManager.Limit;
import jdk.xml.internal.XMLSecurityManager.StringMapper;
import jdk.xml.internal.XMLSecurityManager.ValueMapper;
import org.testng.Assert; import org.testng.Assert;
import org.testng.annotations.Test; import org.testng.annotations.Test;
import org.w3c.dom.DOMConfiguration; import org.w3c.dom.DOMConfiguration;
@ -90,8 +94,21 @@ public class ImplPropertyTest {
Processor.StAX, Processor.VALIDATION, Processor.TRANSFORM); Processor.StAX, Processor.VALIDATION, Processor.TRANSFORM);
for (Limit limit : Limit.values()) { for (Limit limit : Limit.values()) {
Object value1 = null, value2 = null;
ValueMapper mapper = limit.mapper();
if (mapper instanceof StringMapper) {
value1 = mapper.toObject(0);
value2 = mapper.toObject(1);
} else if (mapper instanceof BooleanMapper) {
value1 = true;
value2 = false;
} else if (mapper instanceof IntegerMapper) {
value1 = 100;
value2 = 200;
}
for (Processor p : pLimit) { for (Processor p : pLimit) {
testProperties(p, limit.apiProperty(), 100, limit.systemProperty(), 200, true); testProperties(p, limit.apiProperty(), value1, limit.systemProperty(), value2,
(limit.systemProperty() != null && !limit.apiProperty().equals(limit.systemProperty())));
} }
} }
} }
@ -176,7 +193,6 @@ public class ImplPropertyTest {
private void testProperties(Processor processor, String name1, Object value1, private void testProperties(Processor processor, String name1, Object value1,
String name2, Object value2, boolean differ) String name2, Object value2, boolean differ)
throws Exception { throws Exception {
Object ret1 = null; Object ret1 = null;
Object ret2 = null; Object ret2 = null;
switch (processor) { switch (processor) {
@ -265,7 +281,14 @@ public class ImplPropertyTest {
} }
if ((value1 instanceof Integer) && ret1 instanceof String) { if ((value1 instanceof Integer) && ret1 instanceof String) {
ret1 = Integer.parseInt((String)ret1); ret1 = Integer.parseInt((String)ret1);
ret2 = Integer.parseInt((String)ret2); if (differ) {
ret2 = Integer.parseInt((String)ret2);
}
} else if ((value1 instanceof Boolean) && ret1 instanceof String) {
ret1 = Boolean.parseBoolean((String)ret1);
if (differ) {
ret2 = Boolean.parseBoolean((String)ret2);
}
} }
// name1 is set, expected return value: value1 (set with the old name) // name1 is set, expected return value: value1 (set with the old name)

View File

@ -0,0 +1,10 @@
# ---- For DTD test ----
#
# Disallow DTD
jdk.xml.dtd.support=deny
#
# Implementation specific limits:
jdk.xml.entityExpansionLimit=1000

View File

@ -0,0 +1,29 @@
/*
* Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
* ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
*/
package common.dtd;
/**
* @test @bug 8306632
* @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest
* @modules java.xml/jdk.xml.internal
* @run driver common.dtd.DOMTest 0 // verifies default setting dtd.support=allow
* @run driver common.dtd.DOMTest 1 // verifies overriding with config file
* @run driver common.dtd.DOMTest 2 // verifies overriding with system property
* @run driver common.dtd.DOMTest 3 // verifies overriding with factory setting (DTD=deny)
* @run driver common.dtd.DOMTest 4 // verifies DTD=ignore
* @run driver common.dtd.DOMTest 5 // verifies disallow-doctype-decl=false
* @run driver common.dtd.DOMTest 6 // verifies disallow-doctype-decl=true
* @summary verifies DOM's support of the property jdk.xml.dtd.support.
*/
public class DOMTest extends DTDTestBase {
public static void main(String args[]) throws Exception {
new DOMTest().run(args[0]);
}
public void run(String index) throws Exception {
paramMap(Processor.DOM, null, index);
super.testDOM(filename, fsp, state, config, sysProp, apiProp, expectError, error);
}
}

View File

@ -0,0 +1,300 @@
/*
* Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
* ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
*/
package common.dtd;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.SAXParser;
import javax.xml.stream.XMLInputFactory;
import javax.xml.transform.TransformerFactory;
import javax.xml.validation.SchemaFactory;
import common.util.TestBase;
/**
* @bug 8306632
* @summary tests the DTD property jdk.xml.dtd.support.
* The DTD property controls how DTDs are processed.
*/
public class DTDTestBase extends TestBase {
static final String SRC_DIR;
static {
String srcDir = System.getProperty("test.src", ".");
if (IS_WINDOWS) {
srcDir = srcDir.replace('\\', '/');
}
SRC_DIR = srcDir;
TEST_SOURCE_DIR = srcDir + "/../xmlfiles/";
}
public void testDOM(String filename, Properties fsp, PropertyState state,
Properties config, Properties[] sysProp, Properties[] apiProp,
boolean expectError, String error) throws Exception {
DocumentBuilderFactory dbf = getDBF(fsp, state, config, sysProp, apiProp);
process(filename, dbf, expectError, error);
}
public void testSAX(String filename, Properties fsp, PropertyState state,
Properties config, Properties[] sysProp, Properties[] apiProp,
boolean expectError, String error) throws Exception {
SAXParser parser = getSAXParser(fsp, state, config, sysProp, apiProp);
process(filename, parser, expectError, error);
}
public void testStAX(String filename, Properties fsp, PropertyState state,
Properties config, Properties[] sysProp, Properties[] apiProp,
boolean expectError, String error) throws Exception {
XMLInputFactory xif = getXMLInputFactory(state, config, sysProp, apiProp);
process(filename, xif, expectError, error);
}
public void testSchema1(String filename, String xsd, Properties fsp, PropertyState state,
Properties config, Properties[] sysProp, Properties[] apiProp,
boolean expectError, String error) throws Exception {
SchemaFactory sf = getSchemaFactory(fsp, state, config, sysProp, apiProp);
process(filename, sf, expectError, error);
}
public void testSchema2(String filename, String xsd, Properties fsp, PropertyState state,
Properties config, Properties[] sysProp, Properties[] apiProp,
boolean expectError, String error) throws Exception {
testSchema1(filename, xsd, fsp, state, config, sysProp, apiProp, expectError, error);
}
public void testValidation(String filename, String xsd, Properties fsp, PropertyState state,
Properties config, Properties[] sysProp, Properties[] apiProp,
boolean expectError, String error) throws Exception {
SchemaFactory sf = getSchemaFactory(fsp, state, config, sysProp, apiProp);
validate(filename, sf, expectError, error);
}
public void testStylesheet(String filename, String xsl, Properties fsp, PropertyState state,
Properties config, Properties[] sysProp, Properties[] apiProp,
boolean expectError, String error) throws Exception {
TransformerFactory tf = getTransformerFactory(fsp, state, config, sysProp, apiProp);
process(filename, tf, expectError, error);
}
public void testTransform(String filename, String xsl, Properties fsp, PropertyState state,
Properties config, Properties[] sysProp, Properties[] apiProp,
boolean expectError, String error) throws Exception {
TransformerFactory tf = getTransformerFactory(fsp, state, config, sysProp, apiProp);
transform(filename, xsl, tf, expectError, error);
}
/*
* DataProvider for testing configuring properties for parsers.
*
* Fields:
* file, FSP, state of setting, config file, system property, api property,
* Custom Catalog, error expected, error code or expected result
*/
public Object[][] getConfigs(Processor processor) {
// file with an external DTD that's not in JdkCatalog
String fileDTDNotInC = "properties1.xml";
// error code when DTD=deny; The cause for DOM
String errCode = "JAXP00010008";
// Xerces error message when DTD is disallowed
String errXerces = "disallow-doctype-decl";
// error (not from catalog) is expect when CATALOG=continue
boolean isErrExpected = true;
String expected1 = "invalid.site.com";
// expected when DTD is ignored
String expected = "";
switch (processor) {
case SAX:
//errCode = "JAXP00090001";
break;
case STAX:
errCode = "JAXP00010008";
// StAX is non-validating parser
isErrExpected = false;
expected = ".*[\\w\\s]+(value1)[\\w\\s]+.*";
expected1 = expected;
break;
default:
break;
}
return new Object[][]{
// Case 1: external reference pointing to an invalid site
/**
* Case 1-1: DTD=allow by default; no Config file;
* Expect: error as the parser processes DTD and tries to access the invalid site
* Error: JAXP00010008 java.net.UnknownHostException: invalid.site.com
*/
{fileDTDNotInC, null, null, null, null, null, isErrExpected, expected},
/**
* Case 1-2: DTD=deny in config file
* Expect: Exception since DTD is denied
*/
{fileDTDNotInC, null, PropertyState.CONFIG_FILE, Properties.CONFIG_FILE_DTD2, null, null, true, errCode},
/**
* Case 1-3: DTD=allow with the System Property
* Expect: error as Case 1-1
*/
{fileDTDNotInC, null, PropertyState.CONFIG_FILE_SYSTEM, Properties.CONFIG_FILE_DTD2, new Properties[]{Properties.DTD0}, null, isErrExpected, expected1},
/**
* Case 1-4: DTD=deny with the API property
* Expect: Exception as Case 1-2
*/
{fileDTDNotInC, null, PropertyState.CONFIG_FILE_SYSTEM_API, Properties.CONFIG_FILE_DTD2, new Properties[]{Properties.DTD0}, new Properties[]{Properties.DTD2}, true, errCode},
/**
* Case 1-5: DTD=ignore with the API property
* Expect: no error, DTD is ignored
*/
{fileDTDNotInC, null, PropertyState.CONFIG_FILE_SYSTEM_API, Properties.CONFIG_FILE_DTD2, new Properties[]{Properties.DTD0}, new Properties[]{Properties.DTD1}, false, expected},
// Case 2: repeat Case 1-3 (allow), 1-4 (deny) with the Xerces property on the factory
{fileDTDNotInC, null, PropertyState.CONFIG_FILE_SYSTEM_API, Properties.CONFIG_FILE_DTD2, new Properties[]{Properties.DTD0}, new Properties[]{Properties.XERCES_ALLOW_DTD}, isErrExpected, expected1},
{fileDTDNotInC, null, PropertyState.CONFIG_FILE_SYSTEM_API, Properties.CONFIG_FILE_DTD2, new Properties[]{Properties.DTD0}, new Properties[]{Properties.XERCES_DISALLOW_DTD}, true, errXerces},
// Case 3: repeat Case 1-3 (allow), 1-5 (ignore) with the StAX property on the factory
{fileDTDNotInC, null, PropertyState.CONFIG_FILE_SYSTEM_API, Properties.CONFIG_FILE_DTD2, new Properties[]{Properties.DTD0}, new Properties[]{Properties.SUPPORT_DTD}, isErrExpected, expected1},
{fileDTDNotInC, null, PropertyState.CONFIG_FILE_SYSTEM_API, Properties.CONFIG_FILE_DTD2, new Properties[]{Properties.DTD0}, new Properties[]{Properties.SUPPORT_DTD_FALSE}, false, expected},
};
}
/*
* DataProvider for testing configuring properties for validation or transform.
*
* Fields:
* xml file, xsd or xsl file, FSP, state of setting, config file, system property,
* api property, Custom Catalog, error expected, error code or expected result
*/
public Object[][] getConfig(String m) {
// SchemaTest1: Schema Import
String xmlFile = "XSDImport_company.xsd";
String xsdOrXsl = null;
String expected = "";
boolean errOnIgnore = false;
String ignoreExpected = "";
String errCode = "JAXP00010008";
switch (m) {
case "SchemaTest2":
// Schema Include
xmlFile = "XSDInclude_company.xsd";
break;
case "Validation":
// Schema Location
xmlFile = "val_test.xml";
errOnIgnore = true;
ignoreExpected = "x1";
break;
case "Stylesheet":
xmlFile = "XSLDTD.xsl";
break;
case "Transform":
xmlFile = "XSLPI.xml";
xsdOrXsl = "<?xml version='1.0'?>"
+ "<!DOCTYPE top SYSTEM 'test.dtd'"
+ "["
+ "<!ENTITY % pe \"x\">"
+ "<!ENTITY x1 \"AAAAA\">"
+ "<!ENTITY x2 \"bbb\">"
+"]>"
+ "<?xml-stylesheet href=\""
+ TEST_SOURCE_DIR
+ "/XSLPI_target.xsl\" type=\"text/xml\"?>"
+ "<xsl:stylesheet "
+ " xmlns:xsl='http://www.w3.org/1999/XSL/Transform' "
+ " version='1.0'>"
+ "</xsl:stylesheet> ";
errCode = "JAXP00010008";
break;
default:
break;
}
return new Object[][]{
// Case 1: external reference pointing to an invalid site
/**
* Case 1-1: default setting, DTD=allow
* Expect: pass without error
*/
{xmlFile, xsdOrXsl, null, null, null, null, null, false, expected},
/**
* Case 1-2: DTD=deny in config file
* Expect: Exception since DTD is denied
*/
{xmlFile, xsdOrXsl, null, PropertyState.CONFIG_FILE, Properties.CONFIG_FILE_DTD2, null, null, true, errCode},
/**
* Case 1-3: DTD=allow with the System Property
* Expect: error as Case 1-1
*/
{xmlFile, xsdOrXsl, null, PropertyState.CONFIG_FILE_SYSTEM, Properties.CONFIG_FILE_DTD2, new Properties[]{Properties.DTD0}, null, false, expected},
/**
* Case 1-4: DTD=deny with the API property
* Expect: Exception as Case 1-2
*/
{xmlFile, xsdOrXsl, null, PropertyState.CONFIG_FILE_SYSTEM_API, Properties.CONFIG_FILE_DTD2, new Properties[]{Properties.DTD0}, new Properties[]{Properties.DTD2}, true, errCode},
/**
* Case 1-5: DTD=ignore with the API property
* Expect: no error, DTD is ignored
*/
{xmlFile, xsdOrXsl, null, PropertyState.CONFIG_FILE_SYSTEM_API, Properties.CONFIG_FILE_DTD2, new Properties[]{Properties.DTD0}, new Properties[]{Properties.DTD1}, errOnIgnore, ignoreExpected},
};
}
// Returns absolute path
static String getPath(String file) {
String temp = TEST_SOURCE_DIR + file;
if (IS_WINDOWS) {
temp = "/" + temp;
}
return temp;
}
// parameters in the same order as the test method
String filename; String xsd; String xsl; Properties fsp; PropertyState state;
Properties config; Properties[] sysProp; Properties[] apiProp;
boolean expectError; String error;
// Maps the DataProvider array to individual parameters
public void paramMap(Processor processor, String method, String index) {
int i = 0;
Object[][] params;
if (processor == Processor.VALIDATOR ||
processor == Processor.TRANSFORMER) {
params = getConfig(method);
i = 1;
} else {
params = getConfigs(processor);
}
Object[] param = params[Integer.parseInt(index)];
filename = (String)param[0];
if (processor == Processor.VALIDATOR) {
xsd = (String)param[i];
} else if (processor == Processor.TRANSFORMER) {
xsl = (String)param[i];
}
fsp = (Properties)param[i + 1];
state = (PropertyState)param[i + 2];
config = (Properties)param[i + 3];
sysProp = (Properties[])param[i + 4];
apiProp = (Properties[])param[i + 5];
expectError = (boolean)param[i + 6];
error = (String)param[i + 7];
}
}

View File

@ -0,0 +1,31 @@
/*
* Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
* ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
*/
package common.dtd;
import common.util.TestBase;
/**
* @test @bug 8306632
* @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest
* @modules java.xml/jdk.xml.internal
* @run driver common.dtd.SAXTest 0 // verifies default setting dtd.support=allow
* @run driver common.dtd.SAXTest 1 // verifies overriding with config file
* @run driver common.dtd.SAXTest 2 // verifies overriding with system property
* @run driver common.dtd.SAXTest 3 // verifies overriding with factory setting (DTD=deny)
* @run driver common.dtd.SAXTest 4 // verifies DTD=ignore
* @run driver common.dtd.SAXTest 5 // verifies disallow-doctype-decl=false
* @run driver common.dtd.SAXTest 6 // verifies disallow-doctype-decl=true
* @summary verifies SAX's support of the property jdk.xml.dtd.support.
*/
public class SAXTest extends DTDTestBase {
public static void main(String args[]) throws Exception {
new SAXTest().run(args[0]);
}
public void run(String index) throws Exception {
paramMap(TestBase.Processor.SAX, null, index);
super.testSAX(filename, fsp, state, config, sysProp, apiProp, expectError, error);
}
}

View File

@ -0,0 +1,48 @@
/*
* Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
* ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
*/
package common.dtd;
/**
* @test @bug 8306632
* @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest
* @modules java.xml/jdk.xml.internal
* @run driver common.dtd.SchemaTest SchemaTest1 0 // verifies default setting dtd.support=allow
* @run driver common.dtd.SchemaTest SchemaTest1 1 // verifies overriding with config file
* @run driver common.dtd.SchemaTest SchemaTest1 2 // verifies overriding with system property
* @run driver common.dtd.SchemaTest SchemaTest1 3 // verifies overriding with factory setting (DTD=deny)
* @run driver common.dtd.SchemaTest SchemaTest1 4 // verifies DTD=ignore
* @run driver common.dtd.SchemaTest SchemaTest2 0 // verifies default setting dtd.support=allow
* @run driver common.dtd.SchemaTest SchemaTest2 1 // verifies overriding with config file
* @run driver common.dtd.SchemaTest SchemaTest2 2 // verifies overriding with system property
* @run driver common.dtd.SchemaTest SchemaTest2 3 // verifies overriding with factory setting (DTD=deny)
* @run driver common.dtd.SchemaTest SchemaTest2 4 // verifies DTD=ignore
* @run driver common.dtd.SchemaTest Validation 0 // verifies default setting dtd.support=allow
* @run driver common.dtd.SchemaTest Validation 1 // verifies overriding with config file
* @run driver common.dtd.SchemaTest Validation 2 // verifies overriding with system property
* @run driver common.dtd.SchemaTest Validation 3 // verifies overriding with factory setting (DTD=deny)
* @run driver common.dtd.SchemaTest Validation 4 // verifies DTD=ignore
* @summary verifies Schema and Validation's support of the property jdk.xml.dtd.support.
*/
public class SchemaTest extends DTDTestBase {
public static void main(String args[]) throws Exception {
new SchemaTest().run(args[0], args[1]);
}
public void run(String method, String index) throws Exception {
paramMap(Processor.VALIDATOR, method, index);
switch (method) {
case "SchemaTest1":
super.testSchema1(filename, xsd, fsp, state, config, sysProp, apiProp, expectError, error);
break;
case "SchemaTest2":
super.testSchema2(filename, xsd, fsp, state, config, sysProp, apiProp, expectError, error);
break;
case "Validation":
super.testValidation(filename, xsd, fsp, state, config, sysProp, apiProp, expectError, error);
break;
}
}
}

View File

@ -0,0 +1,34 @@
/*
* Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
* ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
*/
package common.dtd;
import common.util.TestBase;
/**
* @test @bug 8306632
* @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest
* @modules java.xml/jdk.xml.internal
* @run driver common.dtd.StAXTest 0 // verifies default setting dtd.support=allow
* @run driver common.dtd.StAXTest 1 // verifies overriding with config file
* @run driver common.dtd.StAXTest 2 // verifies overriding with system property
* @run driver common.dtd.StAXTest 3 // verifies overriding with factory setting (DTD=deny)
* @run driver common.dtd.StAXTest 4 // verifies DTD=ignore
* @run driver common.dtd.StAXTest 5 // verifies disallow-doctype-decl=false
* @run driver common.dtd.StAXTest 6 // verifies disallow-doctype-decl=true
* @run driver common.dtd.StAXTest 7 // verifies supportDTD=true
* @run driver common.dtd.StAXTest 8 // verifies supportDTD=false
* @summary verifies StAX's support of the property jdk.xml.dtd.support.
*/
public class StAXTest extends DTDTestBase {
public static void main(String args[]) throws Exception {
new StAXTest().run(args[0]);
}
public void run(String index) throws Exception {
paramMap(TestBase.Processor.STAX, null, index);
super.testStAX(filename, fsp, state, config, sysProp, apiProp, expectError, error);
}
}

View File

@ -0,0 +1,42 @@
/*
* Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
* ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
*/
package common.dtd;
import common.util.TestBase;
/**
* @test @bug 8306632
* @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest
* @modules java.xml/jdk.xml.internal
* @run driver common.dtd.TransformTest Stylesheet 0 // verifies default setting dtd.support=allow
* @run driver common.dtd.TransformTest Stylesheet 1 // verifies overriding with config file
* @run driver common.dtd.TransformTest Stylesheet 2 // verifies overriding with system property
* @run driver common.dtd.TransformTest Stylesheet 3 // verifies overriding with factory setting (DTD=deny)
* @run driver common.dtd.TransformTest Stylesheet 4 // verifies DTD=ignore
* @run driver common.dtd.TransformTest Transform 0 // verifies default setting dtd.support=allow
* @run driver common.dtd.TransformTest Transform 1 // verifies overriding with config file
* @run driver common.dtd.TransformTest Transform 2 // verifies overriding with system property
* @run driver common.dtd.TransformTest Transform 3 // verifies overriding with factory setting (DTD=deny)
* @run driver common.dtd.TransformTest Transform 4 // verifies DTD=ignore
* @summary verifies Transform's support of the property jdk.xml.dtd.support.
*/
public class TransformTest extends DTDTestBase {
public static void main(String args[]) throws Exception {
new TransformTest().run(args[0], args[1]);
}
public void run(String method, String index) throws Exception {
paramMap(TestBase.Processor.TRANSFORMER, method, index);
switch (method) {
case "Stylesheet":
super.testStylesheet(filename, xsl, fsp, state, config, sysProp, apiProp, expectError, error);
break;
case "Transform":
super.testTransform(filename, xsl, fsp, state, config, sysProp, apiProp, expectError, error);
break;
}
}
}

View File

@ -0,0 +1,635 @@
/*
* Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package common.util;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;
import java.io.StringReader;
import java.io.StringWriter;
import java.util.regex.Pattern;
import javax.xml.XMLConstants;
import javax.xml.catalog.CatalogFeatures;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLResolver;
import javax.xml.stream.XMLStreamConstants;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.sax.SAXSource;
import javax.xml.transform.stax.StAXSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
import org.w3c.dom.Document;
import org.xml.sax.InputSource;
import org.xml.sax.helpers.DefaultHandler;
/**
* Test base for common/dtd
*/
public class TestBase {
static final boolean DEBUG = true;
public static final String ORACLE_JAXP_PROPERTY_PREFIX =
"http://www.oracle.com/xml/jaxp/properties/";
public static final String JDK_ENTITY_COUNT_INFO =
ORACLE_JAXP_PROPERTY_PREFIX + "getEntityCountInfo";
public static final String CATALOG_FILE = CatalogFeatures.Feature.FILES.getPropertyName();
public static final boolean IS_WINDOWS = System.getProperty("os.name").contains("Windows");
public static String SRC_DIR = System.getProperty("test.src", ".");
public static String TEST_SOURCE_DIR;
// configuration file system property
private static final String CONFIG_FILE = "java.xml.config.file";
// Xerces Property
public static final String DISALLOW_DTD = "http://apache.org/xml/features/disallow-doctype-decl";
public static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
// Zephyr Properties
public static final String ZEPHYR_PROPERTY_PREFIX = "http://java.sun.com/xml/stream/properties/" ;
public static final String IGNORE_EXTERNAL_DTD = ZEPHYR_PROPERTY_PREFIX + "ignore-external-dtd";
// Impl Specific Properties
public static final String SP_DTD = "jdk.xml.dtd.support";
public static final String OVERRIDE_PARSER = "jdk.xml.overrideDefaultParser";
// DTD/CATALOG constants
public static final String RESOLVE_CONTINUE = "continue";
public static final String RESOLVE_IGNORE = "ignore";
public static final String RESOLVE_STRICT = "strict";
public static final String DTD_ALLOW = "allow";
public static final String DTD_IGNORE = "ignore";
public static final String DTD_DENY = "deny";
// JAXP Configuration File(JCF) location
// DTD = deny
public static final String JCF_DTD2 = "../config/files/dtd2.properties";
String xmlExternalEntity, xmlExternalEntityId;
String xmlGE_Expansion, xmlGE_ExpansionId;
public static enum Processor { DOM, SAX, STAX, VALIDATOR, TRANSFORMER };
static enum SourceType { STREAM, SAX, STAX, DOM };
public static enum Properties {
CONFIG_FILE_DTD2(null, CONFIG_FILE, Type.FEATURE, getPath(JCF_DTD2)),
FSP(XMLConstants.FEATURE_SECURE_PROCESSING, null, Type.FEATURE, "true"),
FSP_FALSE(XMLConstants.FEATURE_SECURE_PROCESSING, null, Type.FEATURE, "false"),
// properties
DTD0(SP_DTD, "ditto", Type.PROPERTY, DTD_ALLOW),
DTD1(SP_DTD, "ditto", Type.PROPERTY, DTD_IGNORE),
DTD2(SP_DTD, "ditto", Type.PROPERTY, DTD_DENY),
// StAX properties
SUPPORT_DTD(XMLInputFactory.SUPPORT_DTD, null, Type.FEATURE, "true"),
SUPPORT_DTD_FALSE(XMLInputFactory.SUPPORT_DTD, null, Type.FEATURE, "false"),
SUPPORT_EXTERNAL_ENTITIES(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, null, Type.FEATURE, "true"),
SUPPORT_EXTERNAL_ENTITIES_FALSE(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, null, Type.FEATURE, "false"),
REPLACE_ENTITY_REF(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, null, Type.FEATURE, "true"),
REPLACE_ENTITY_REF_FALSE(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, null, Type.FEATURE, "false"),
ZEPHY_IGNORE_EXTERNAL_DTD(IGNORE_EXTERNAL_DTD, null, Type.FEATURE, "true"),
ZEPHY_IGNORE_EXTERNAL_DTD_FALSE(IGNORE_EXTERNAL_DTD, null, Type.FEATURE, "false"),
// Xerces properties
XERCES_DISALLOW_DTD(DISALLOW_DTD, null, Type.FEATURE, "true"),
XERCES_ALLOW_DTD(DISALLOW_DTD, null, Type.FEATURE, "false"),
XERCES_LOAD_EXTERNAL_DTD(LOAD_EXTERNAL_DTD, null, Type.FEATURE, "true"),
XERCES_LOAD_EXTERNAL_DTD_FALSE(LOAD_EXTERNAL_DTD, null, Type.FEATURE, "false"),
;
final String apiName, spName;
final Type type;
final String value;
String file, resolve;
Properties(String apiName, String spName, Type t, String value) {
this.apiName = apiName;
// if spName not specified, it's the same as the API name
if ("ditto".equals(spName)) {
this.spName = apiName;
} else {
this.spName = spName;
}
this.type = t;
this.value = value;
}
public Type type() {
return type;
}
public String value() {
return value;
}
}
public static enum Type {
CONFIGFILE,
FEATURE,
PROPERTY,
LIMIT,
}
// the state of property setting
public static enum PropertyState {
// set through the factories
API,
// set through the System Property
SYSTEM,
// set in the Config file
CONFIG_FILE,
// set with both the Config file and System Property, the later shall prevail
CONFIG_FILE_SYSTEM,
// set: Config file, System Property and API, the later shall prevail
CONFIG_FILE_SYSTEM_API,
}
protected void process(String filename, DocumentBuilderFactory dbf, boolean expectError,
String error) throws Exception {
//dbf.setAttribute(CatalogFeatures.Feature.RESOLVE.getPropertyName(), "continue");
DocumentBuilder builder = dbf.newDocumentBuilder();
File file = new File(getPath(filename));
try {
Document document = builder.parse(file);
Assert.assertTrue(!expectError);
} catch (Exception e) {
e.printStackTrace();
processError(expectError, error, e);
}
}
protected void process(String filename, SAXParser parser, boolean expectError,
String error) throws Exception {
File file = new File(getPath(filename));
try {
parser.parse(file, new DefaultHandler());
Assert.assertTrue(!expectError);
} catch (Exception e) {
//e.printStackTrace();
processError(expectError, error, e);
}
}
protected void process(String filename, XMLInputFactory xif, boolean expectError,
String expected) throws Exception {
String xml = getPath(filename);
try {
InputStream entityxml = new FileInputStream(xml);
XMLStreamReader streamReader = xif.createXMLStreamReader(xml, entityxml);
String text = getText(streamReader, XMLStreamConstants.CHARACTERS);
System.out.println("Text: [" + text.trim() + "]");
Assert.assertTrue(Pattern.matches(expected, text.trim()));
Assert.assertTrue(!expectError);
} catch (Exception e) {
e.printStackTrace();
processError(expectError, expected, e);
}
}
protected void process(String filename, SchemaFactory sf, boolean expectError,
String expected) throws Exception {
String xsd = getPath(filename);
try {
Schema schema = sf.newSchema(new StreamSource(new File(xsd)));
Assert.assertTrue(!expectError);
} catch (Exception e) {
e.printStackTrace();
processError(expectError, expected, e);
}
}
protected void process(String filename, TransformerFactory tf, boolean expectError,
String expected) throws Exception {
String xsl = getPath(filename);
try {
SAXSource xslSource = new SAXSource(new InputSource(xsl));
xslSource.setSystemId(xsl);
Transformer transformer = tf.newTransformer(xslSource);
Assert.assertTrue(!expectError);
} catch (Exception e) {
//e.printStackTrace();
processError(expectError, expected, e);
}
}
protected void transform(String xmlFile, String xsl, TransformerFactory tf,
boolean expectError, String expected) throws Exception {
String xmlSysId = getPath(xmlFile);
try {
SAXSource xslSource = new SAXSource(new InputSource(new StringReader(xsl)));
//SAXSource xslSource = new SAXSource(new InputSource(xslSysId));
xslSource.setSystemId(xmlSysId);
Transformer transformer = tf.newTransformer(xslSource);
StringWriter sw = new StringWriter();
transformer.transform(getSource(SourceType.STREAM, xmlSysId), new StreamResult(sw));
Assert.assertTrue(!expectError);
} catch (Exception e) {
e.printStackTrace();
processError(expectError, expected, e);
}
}
protected void validate(String filename, SchemaFactory sf, boolean expectError,
String expected) throws Exception {
String xml = getPath(filename);
try {
Schema schema = sf.newSchema();
Validator validator = schema.newValidator();
validator.validate(new StreamSource(new File(xml)));
Assert.assertTrue(!expectError);
} catch (Exception e) {
e.printStackTrace();
processError(expectError, expected, e);
}
}
protected void processError(boolean expectError, String error, Exception e)
throws Exception {
//e.printStackTrace();
String str = e.getMessage();
// System.out.println("Exp Msg: " + str);
//e.printStackTrace();
if (!expectError) {
Assert.assertTrue(false, "Expected pass, but Exception is thrown " +
str);
} else {
Assert.assertTrue((str != null) && str.contains(error));
}
}
/**
* Returns a DocumentBuilderFactory with settings as specified.
*
* @param fsp FSP setting
* @param state the setting method
* @param config the configuration file setting
* @param sysProp properties to be set through the System Property API
* @param apiProp the properties to be set via the factory
* @return a DocumentBuilderFactory
*/
protected DocumentBuilderFactory getDBF(Properties fsp, PropertyState state,
Properties config, Properties[] sysProp, Properties[] apiProp) {
setSystemProperty(config, state, sysProp);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newDefaultNSInstance();
dbf.setXIncludeAware(true);
if (fsp != null) {
try {
dbf.setFeature(fsp.apiName, Boolean.parseBoolean(fsp.value));
} catch (ParserConfigurationException ex) {
// shouldn't happen
//ex.printStackTrace();
Assert.fail("Test error: setting " + fsp.apiName + " to " + fsp.value);
}
}
if (state == PropertyState.API || state == PropertyState.CONFIG_FILE_SYSTEM_API) {
for (Properties property : apiProp) {
if (property.type == Type.FEATURE) {
try {
dbf.setFeature(property.apiName, Boolean.parseBoolean(property.value));
} catch (ParserConfigurationException ex) {
Assert.fail("Test error: setting " + fsp.apiName + " to " + fsp.value);
}
} else {
dbf.setAttribute(property.apiName, property.value);
}
}
}
clearSystemProperty(state, sysProp);
return dbf;
}
/**
* Returns an instance of SAXParser with a catalog if one is provided.
*
* @param fsp Feature Secure Processing
* @param state the state of property settings
* @param config the config file
* @param sysProp the system properties
* @param apiProp the properties to be set via the factory
* @return an instance of SAXParser
* @throws ParserConfigurationException
* @throws Exception
*/
public SAXParser getSAXParser(Properties fsp, PropertyState state, Properties config,
Properties[] sysProp, Properties[] apiProp) throws Exception {
setSystemProperty(config, state, sysProp);
SAXParserFactory spf = SAXParserFactory.newDefaultNSInstance();
spf.setXIncludeAware(true);
if (fsp != null) {
try {
spf.setFeature(fsp.apiName, Boolean.parseBoolean(fsp.value));
} catch (ParserConfigurationException ex) {
Assert.fail("Test error: setting " + fsp.apiName + " to " + fsp.value);
}
}
if (state == PropertyState.API || state == PropertyState.CONFIG_FILE_SYSTEM_API) {
for (Properties property : apiProp) {
if (property.type == Type.FEATURE) {
try {
spf.setFeature(property.apiName, Boolean.parseBoolean(property.value));
} catch (ParserConfigurationException ex) {
Assert.fail("Test error: setting " + fsp.apiName + " to " + fsp.value);
}
}
}
}
SAXParser parser = spf.newSAXParser();
if (state == PropertyState.API || state == PropertyState.CONFIG_FILE_SYSTEM_API) {
for (Properties property : apiProp) {
if (property.type != Type.FEATURE) {
parser.setProperty(property.apiName, property.value);
}
}
}
clearSystemProperty(state, sysProp);
return parser;
}
protected XMLInputFactory getXMLInputFactory(PropertyState state,
Properties config, Properties[] sysProp, Properties[] apiProp) {
setSystemProperty(config, state, sysProp);
XMLInputFactory factory = XMLInputFactory.newInstance();
if (state == PropertyState.API || state == PropertyState.CONFIG_FILE_SYSTEM_API) {
for (Properties property : apiProp) {
factory.setProperty(property.apiName, property.value);
}
}
clearSystemProperty(state, sysProp);
return factory;
}
protected SchemaFactory getSchemaFactory(Properties fsp, PropertyState state,
Properties config, Properties[] sysProp, Properties[] apiProp)
throws Exception {
setSystemProperty(config, state, sysProp);
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
if (fsp != null) {
factory.setFeature(fsp.apiName, Boolean.parseBoolean(fsp.value));
}
if (state == PropertyState.API || state == PropertyState.CONFIG_FILE_SYSTEM_API) {
for (Properties property : apiProp) {
if (property.type == Type.FEATURE) {
factory.setFeature(property.apiName, Boolean.parseBoolean(property.value));
} else {
factory.setProperty(property.apiName, property.value);
}
}
}
clearSystemProperty(state, sysProp);
return factory;
}
protected TransformerFactory getTransformerFactory(Properties fsp, PropertyState state,
Properties config, Properties[] sysProp, Properties[] apiProp)
throws Exception {
setSystemProperty(config, state, sysProp);
TransformerFactory tf = TransformerFactory.newInstance();
//tf.setAttribute(JDK_ENTITY_COUNT_INFO, "yes");
if (fsp != null) {
tf.setFeature(fsp.apiName, Boolean.parseBoolean(fsp.value));
}
if (state == PropertyState.API || state == PropertyState.CONFIG_FILE_SYSTEM_API) {
for (Properties property : apiProp) {
if (property.type == Type.FEATURE) {
tf.setFeature(property.apiName, Boolean.parseBoolean(property.value));
} else {
tf.setAttribute(property.apiName, property.value);
}
}
}
clearSystemProperty(state, sysProp);
return tf;
}
XMLStreamReader getStreamReader(boolean setUseCatalog, boolean useCatalog,
String catalog, String xml, XMLResolver resolver)
throws FileNotFoundException, XMLStreamException {
XMLInputFactory factory = XMLInputFactory.newInstance();
if (catalog != null) {
factory.setProperty(CatalogFeatures.Feature.FILES.getPropertyName(), catalog);
}
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, true);
factory.setProperty(XMLInputFactory.IS_COALESCING, true);
if (resolver != null) {
factory.setProperty(XMLInputFactory.RESOLVER, resolver);
}
if (setUseCatalog) {
factory.setProperty(XMLConstants.USE_CATALOG, useCatalog);
}
InputStream entityxml = new FileInputStream(xml);
XMLStreamReader streamReader = factory.createXMLStreamReader(xml, entityxml);
return streamReader;
}
/**
* Returns the accumulated text of an event type.
*
* @param streamReader the XMLStreamReader
* @param type the type of event requested
* @return the text of the accumulated text for the request type
* @throws XMLStreamException
*/
String getText(XMLStreamReader streamReader, int type) throws XMLStreamException {
StringBuilder text = new StringBuilder();
StringBuilder entityRef = new StringBuilder();
while(streamReader.hasNext()){
int eventType = streamReader.next();
switch (eventType) {
case XMLStreamConstants.START_ELEMENT:
break;
case XMLStreamConstants.CHARACTERS:
text.append(streamReader.getText());
break;
case XMLStreamConstants.ENTITY_REFERENCE:
entityRef.append(streamReader.getText());
break;
}
}
if (type == XMLStreamConstants.CHARACTERS) {
return text.toString();
} else {
return entityRef.toString();
}
}
/**
* Build a Source for _xmlFile depending on the value of sourceType.
* @return
* @throws FileNotFoundException
* @throws XMLStreamException
*/
private Source getSource(SourceType sourceType, String xmlFile)
throws FileNotFoundException, XMLStreamException {
if (sourceType == null) {
throw new Error("Test Bug: Please check that sourceType is set");
}
switch(sourceType) {
case SAX: return new SAXSource(new InputSource(xmlFile));
case STAX: return new StAXSource(XMLInputFactory.newFactory()
.createXMLEventReader(xmlFile, new FileInputStream(xmlFile)));
case DOM: return new DOMSource(null,xmlFile);
default: return new StreamSource(xmlFile);
}
}
/**
* Sets the System Property via the System Property API and/or the Config file.
*
* @param config the configuration file setting
* @param state the setting method
* @param sysProp properties to be set through the System Property API
*/
protected void setSystemProperty(Properties config, PropertyState state, Properties[] sysProp) {
// no System Property
if (state == null) return;
if (sysProp != null) {
for (Properties property : sysProp) {
setSystemProperty1(config, state, property);
}
} else {
setSystemProperty1(config, state, null);
}
}
protected void setSystemProperty1(Properties config, PropertyState state, Properties property) {
switch (state) {
case SYSTEM:
System.setProperty(property.spName, property.value);
break;
case CONFIG_FILE:
System.setProperty(CONFIG_FILE, config.value);
break;
case CONFIG_FILE_SYSTEM:
case CONFIG_FILE_SYSTEM_API:
System.setProperty(CONFIG_FILE, config.value);
if (property != null) {
System.setProperty(property.spName, property.value);
}
break;
}
}
/**
* Clears the System Properties.
*
* @param state the state of setting, refer to {@link PropertyState}.
* @param sysProp the system properties
*/
protected void clearSystemProperty(PropertyState state, Properties[] sysProp) {
if (state == null) return;
if (sysProp != null) {
for (Properties property : sysProp) {
clearSystemProperty1(state, property);
}
} else {
clearSystemProperty1(state, null);
}
}
protected void clearSystemProperty1(PropertyState m, Properties property) {
if (m == null) return;
switch (m) {
case SYSTEM:
System.clearProperty(property.spName);
break;
case CONFIG_FILE:
System.clearProperty(CONFIG_FILE);
break;
case CONFIG_FILE_SYSTEM:
case CONFIG_FILE_SYSTEM_API:
System.clearProperty(CONFIG_FILE);
if (property != null) {
System.clearProperty(property.spName);
}
break;
}
}
static String getPath(String file) {
String temp = TEST_SOURCE_DIR + file;
if (IS_WINDOWS) {
temp = "/" + temp;
}
return temp;
}
static class Assert {
public static void assertTrue(boolean condition) {
assertTrue(condition, null);
}
public static void assertTrue(boolean condition, String message) {
if (!condition) {
if (message != null) {
throw new RuntimeException("Expected true but was false. " + message);
} else {
throw new RuntimeException("Expected true but was false. ");
}
}
}
public static void fail(String message) {
throw new RuntimeException("Test failed. " + message);
}
}
}

View File

@ -0,0 +1,28 @@
<?xml version="1.1"?>
<!DOCTYPE top SYSTEM 'test.dtd'
[
<!ENTITY % pe "x">
<!ENTITY x "AAAAA">
<!ENTITY x1 "BBB">
]>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://www.company.org"
xmlns="http://www.company.org"
elementFormDefault="unqualified"
xmlns:per="http://www.person.org"
xmlns:pro="http://www.product.org">
<xsd:import namespace="http://www.person.org"
schemaLocation="XSDImport_person.xsd"/>
<xsd:import namespace="http://www.product.org"
schemaLocation="XSDImport_product.xsd"/>
<xsd:element name="Company">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="Person" type="per:PersonType"
maxOccurs="unbounded"/>
<xsd:element name="Product" type="pro:ProductType"
maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>

View File

@ -0,0 +1,12 @@
<?xml version="1.1"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://www.person.org"
xmlns="http://www.person.org"
elementFormDefault="unqualified">
<xsd:complexType name="PersonType">
<xsd:sequence>
<xsd:element name="Name" type="xsd:string"/>
<xsd:element name="SSN" type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
</xsd:schema>

View File

@ -0,0 +1,11 @@
<?xml version="1.1"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://www.product.org"
xmlns="http://www.product.org"
elementFormDefault="unqualified">
<xsd:complexType name="ProductType">
<xsd:sequence>
<xsd:element name="Type" type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
</xsd:schema>

View File

@ -0,0 +1,24 @@
<?xml version="1.1"?>
<!DOCTYPE top SYSTEM 'test.dtd'
[
<!ENTITY % pe "x">
<!ENTITY x "AAAAA">
<!ENTITY x1 "BBB">
]>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://www.company.org"
xmlns="http://www.company.org"
elementFormDefault="qualified">
<xsd:include schemaLocation="XSDInclude_person.xsd"/>
<xsd:include schemaLocation="XSDInclude_product.xsd"/>
<xsd:element name="Company">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="Person" type="PersonType"
maxOccurs="unbounded"/>
<xsd:element name="Product" type="ProductType"
maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>

View File

@ -0,0 +1,12 @@
<?xml version="1.1"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://www.company.org"
xmlns="http://www.person.org"
elementFormDefault="qualified">
<xsd:complexType name="PersonType">
<xsd:sequence>
<xsd:element name="Name" type="xsd:string"/>
<xsd:element name="SSN" type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
</xsd:schema>

View File

@ -0,0 +1,11 @@
<?xml version="1.1"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://www.company.org"
xmlns="http://www.product.org"
elementFormDefault="qualified">
<xsd:complexType name="ProductType">
<xsd:sequence>
<xsd:element name="Type" type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
</xsd:schema>

View File

@ -0,0 +1,108 @@
<?xml version="1.1" encoding="UTF-8"?>
<!-- Portions (C) International Organization for Standardization 1986
Permission to copy in any form is granted for use with
conforming SGML systems and applications as defined in
ISO 8879, provided this notice is included in all copies.
-->
<!-- Character entity set. Typical invocation:
<!ENTITY % HTMLlat1 PUBLIC
"-//W3C//ENTITIES Latin 1//EN//HTML">
%HTMLlat1;
-->
<!ENTITY nbsp "&#160;" >
<!ENTITY iexcl "&#161;" >
<!ENTITY cent "&#162;" >
<!ENTITY pound "&#163;" >
<!ENTITY curren "&#164;" >
<!ENTITY yen "&#165;" >
<!ENTITY brvbar "&#166;" >
<!ENTITY sect "&#167;" >
<!ENTITY uml "&#168;" >
<!ENTITY copy "&#169;" >
<!ENTITY ordf "&#170;" >
<!ENTITY laquo "&#171;" >
<!ENTITY not "&#172;" >
<!ENTITY shy "&#173;" >
<!ENTITY reg "&#174;" >
<!ENTITY macr "&#175;" >
<!ENTITY deg "&#176;" >
<!ENTITY plusmn "&#177;" >
<!ENTITY sup2 "&#178;" >
<!ENTITY sup3 "&#179;" >
<!ENTITY acute "&#180;" >
<!ENTITY micro "&#181;" >
<!ENTITY para "&#182;" >
<!ENTITY middot "&#183;" >
<!ENTITY cedil "&#184;" >
<!ENTITY sup1 "&#185;" >
<!ENTITY ordm "&#186;" >
<!ENTITY raquo "&#187;" >
<!ENTITY frac14 "&#188;" >
<!ENTITY frac12 "&#189;" >
<!ENTITY frac34 "&#190;" >
<!ENTITY iquest "&#191;" >
<!ENTITY Agrave "&#192;" >
<!ENTITY Aacute "&#193;" >
<!ENTITY Acirc "&#194;" >
<!ENTITY Atilde "&#195;" >
<!ENTITY Auml "&#196;" >
<!ENTITY Aring "&#197;" >
<!ENTITY AElig "&#198;" >
<!ENTITY Ccedil "&#199;" >
<!ENTITY Egrave "&#200;" >
<!ENTITY Eacute "&#201;" >
<!ENTITY Ecirc "&#202;" >
<!ENTITY Euml "&#203;" >
<!ENTITY Igrave "&#204;" >
<!ENTITY Iacute "&#205;" >
<!ENTITY Icirc "&#206;" >
<!ENTITY Iuml "&#207;" >
<!ENTITY ETH "&#208;" >
<!ENTITY Ntilde "&#209;" >
<!ENTITY Ograve "&#210;" >
<!ENTITY Oacute "&#211;" >
<!ENTITY Ocirc "&#212;" >
<!ENTITY Otilde "&#213;" >
<!ENTITY Ouml "&#214;" >
<!ENTITY times "&#215;" >
<!ENTITY Oslash "&#216;" >
<!ENTITY Ugrave "&#217;" >
<!ENTITY Uacute "&#218;" >
<!ENTITY Ucirc "&#219;" >
<!ENTITY Uuml "&#220;" >
<!ENTITY Yacute "&#221;" >
<!ENTITY THORN "&#222;" >
<!ENTITY szlig "&#223;" >
<!ENTITY agrave "&#224;" >
<!ENTITY aacute "&#225;" >
<!ENTITY acirc "&#226;" >
<!ENTITY atilde "&#227;" >
<!ENTITY auml "&#228;" >
<!ENTITY aring "&#229;" >
<!ENTITY aelig "&#230;" >
<!ENTITY ccedil "&#231;" >
<!ENTITY egrave "&#232;" >
<!ENTITY eacute "&#233;" >
<!ENTITY ecirc "&#234;" >
<!ENTITY euml "&#235;" >
<!ENTITY igrave "&#236;" >
<!ENTITY iacute "&#237;" >
<!ENTITY icirc "&#238;" >
<!ENTITY iuml "&#239;" >
<!ENTITY eth "&#240;" >
<!ENTITY ntilde "&#241;" >
<!ENTITY ograve "&#242;" >
<!ENTITY oacute "&#243;" >
<!ENTITY ocirc "&#244;" >
<!ENTITY otilde "&#245;" >
<!ENTITY ouml "&#246;" >
<!ENTITY divide "&#247;" >
<!ENTITY oslash "&#248;" >
<!ENTITY ugrave "&#249;" >
<!ENTITY uacute "&#250;" >
<!ENTITY ucirc "&#251;" >
<!ENTITY uuml "&#252;" >
<!ENTITY yacute "&#253;" >
<!ENTITY thorn "&#254;" >
<!ENTITY yuml "&#255;" >

View File

@ -0,0 +1,8 @@
<?xml version="1.1"?>
<!DOCTYPE top SYSTEM 'test.dtd'
[
<!ENTITY % pe "x">
<!ENTITY x "AAAAA">
<!ENTITY x1 "BBB">
]>
<doc></doc>

View File

@ -0,0 +1,21 @@
<?xml version="1.1" encoding="ISO-8859-1" standalone="no"?>
<!DOCTYPE HTMLlat1 SYSTEM "XSLDTD.dtd">
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<!-- FileName: copy20 -->
<!-- Document: http://www.w3.org/TR/xslt -->
<!-- DocVersion: 19991116 -->
<!-- Section: 11.3 -->
<!-- Creator: David Marston -->
<!-- Purpose: Test copy-of a string constant containing character entity -->
<xsl:output method="xml" encoding="UTF-8"/>
<!-- With this output encoding, should get two bytes (xC3,xA6) for the &aelig -->
<xsl:template match="/">
<out>
<xsl:copy-of select="'abcd&aelig;fgh'"/>
</out>
</xsl:template>
</xsl:stylesheet>

View File

@ -0,0 +1,8 @@
<?xml version="1.1" encoding="UTF-8"?>
<!DOCTYPE doc SYSTEM 'test.dtd'
[
<!ENTITY % pe "x">
<!ENTITY x "AAAAA">
<!ENTITY x1 "BBB">
]>
<doc/>

View File

@ -0,0 +1,6 @@
<?xml version='1.1'?>
<?xml-stylesheet href="XSLPI_target.xsl" type="text/xml"?>
<xsl:stylesheet
xmlns:xsl='http://www.w3.org/1999/XSL/Transform'
version='1.0'>
</xsl:stylesheet>

View File

@ -0,0 +1,9 @@
<?xml version="1.1" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:template match="footer">
<dv id="footer"><xsl:apply-templates/></dv>
</xsl:template>
</xsl:stylesheet>

View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>java.util.Properties</comment>
<entry key="property1">value1</entry>
<entry key="property2">value2</entry>
<entry key="property3">value3</entry>
</properties>

View File

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE properties SYSTEM "http://invalid.site.com/dtd/properties1.dtd"
[
<!ENTITY % pe "x">
<!ENTITY x "AAAAA">
<!ENTITY x1 "BBB">
]>
<properties>
<comment>java.util.Properties</comment>
<entry key="property1">value1</entry>
<entry key="property2">value2</entry>
<entry key="property3">value3</entry>
</properties>

View File

@ -0,0 +1,6 @@
<!ENTITY % bltin "&#42;">
<!ENTITY % pe "x">
<!ELEMENT top (#PCDATA)>

View File

@ -0,0 +1,13 @@
<?xml version="1.1"?>
<!DOCTYPE top SYSTEM 'test.dtd'
[
<!ENTITY % pe "x">
<!ENTITY x "AAAAA">
<!ENTITY x1 "BBB">
]>
<test:root xmlns:test="test"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="test val_test.xsd"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<child xsi:type="xsd:string">&x1;</child>
</test:root>

View File

@ -0,0 +1,16 @@
<?xml version="1.1"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
targetNamespace="test">
<xsd:element name="root">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="child" type="xsd:anyType"/>
</xsd:sequence>
</xsd:complexType>
<xsd:key name="key1">
<xsd:selector xpath="."/>
<xsd:field xpath="child"/>
</xsd:key>
</xsd:element>
</xsd:schema>