25 |
25 |
26 import com.sun.org.apache.xalan.internal.XalanConstants; |
26 import com.sun.org.apache.xalan.internal.XalanConstants; |
27 import com.sun.org.apache.xalan.internal.utils.FactoryImpl; |
27 import com.sun.org.apache.xalan.internal.utils.FactoryImpl; |
28 import com.sun.org.apache.xalan.internal.utils.ObjectFactory; |
28 import com.sun.org.apache.xalan.internal.utils.ObjectFactory; |
29 import com.sun.org.apache.xalan.internal.utils.SecuritySupport; |
29 import com.sun.org.apache.xalan.internal.utils.SecuritySupport; |
|
30 import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager; |
|
31 import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.Property; |
|
32 import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.State; |
30 import com.sun.org.apache.xalan.internal.xsltc.compiler.Constants; |
33 import com.sun.org.apache.xalan.internal.xsltc.compiler.Constants; |
31 import com.sun.org.apache.xalan.internal.xsltc.compiler.SourceLoader; |
34 import com.sun.org.apache.xalan.internal.xsltc.compiler.SourceLoader; |
32 import com.sun.org.apache.xalan.internal.xsltc.compiler.XSLTC; |
35 import com.sun.org.apache.xalan.internal.xsltc.compiler.XSLTC; |
33 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg; |
36 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg; |
34 import com.sun.org.apache.xalan.internal.xsltc.dom.XSLTCDTMManager; |
37 import com.sun.org.apache.xalan.internal.xsltc.dom.XSLTCDTMManager; |
213 |
216 |
214 /** |
217 /** |
215 * protocols allowed for external references set by the stylesheet processing instruction, Import and Include element. |
218 * protocols allowed for external references set by the stylesheet processing instruction, Import and Include element. |
216 */ |
219 */ |
217 private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT; |
220 private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT; |
|
221 |
218 /** |
222 /** |
219 * protocols allowed for external DTD references in source file and/or stylesheet. |
223 * protocols allowed for external DTD references in source file and/or stylesheet. |
220 */ |
224 */ |
221 private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT; |
225 private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT; |
222 |
226 |
|
227 private XMLSecurityPropertyManager _xmlSecurityPropertyMgr; |
223 |
228 |
224 /** |
229 /** |
225 * javax.xml.transform.sax.TransformerFactory implementation. |
230 * javax.xml.transform.sax.TransformerFactory implementation. |
226 */ |
231 */ |
227 public TransformerFactoryImpl() { |
232 public TransformerFactoryImpl() { |
233 } |
238 } |
234 |
239 |
235 private TransformerFactoryImpl(boolean useServicesMechanism) { |
240 private TransformerFactoryImpl(boolean useServicesMechanism) { |
236 this._useServicesMechanism = useServicesMechanism; |
241 this._useServicesMechanism = useServicesMechanism; |
237 |
242 |
238 String defaultAccess = XalanConstants.EXTERNAL_ACCESS_DEFAULT; |
|
239 if (System.getSecurityManager() != null) { |
243 if (System.getSecurityManager() != null) { |
240 _isSecureMode = true; |
244 _isSecureMode = true; |
241 _isNotSecureProcessing = false; |
245 _isNotSecureProcessing = false; |
242 } |
246 } |
243 _accessExternalStylesheet = SecuritySupport.getDefaultAccessProperty( |
247 |
244 XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET, defaultAccess); |
248 _xmlSecurityPropertyMgr = new XMLSecurityPropertyManager(); |
245 _accessExternalDTD = SecuritySupport.getDefaultAccessProperty( |
249 _accessExternalDTD = _xmlSecurityPropertyMgr.getValue( |
246 XalanConstants.SP_ACCESS_EXTERNAL_DTD, defaultAccess); |
250 Property.ACCESS_EXTERNAL_DTD); |
|
251 _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue( |
|
252 Property.ACCESS_EXTERNAL_STYLESHEET); |
247 } |
253 } |
248 |
254 |
249 /** |
255 /** |
250 * javax.xml.transform.sax.TransformerFactory implementation. |
256 * javax.xml.transform.sax.TransformerFactory implementation. |
251 * Set the error event listener for the TransformerFactory, which is used |
257 * Set the error event listener for the TransformerFactory, which is used |
304 if (_enableInlining) |
310 if (_enableInlining) |
305 return Boolean.TRUE; |
311 return Boolean.TRUE; |
306 else |
312 else |
307 return Boolean.FALSE; |
313 return Boolean.FALSE; |
308 } |
314 } |
309 else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) { |
315 |
310 return _accessExternalStylesheet; |
316 int index = _xmlSecurityPropertyMgr.getIndex(name); |
311 } |
317 if (index > -1) { |
312 else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) { |
318 return _xmlSecurityPropertyMgr.getValueByIndex(index); |
313 return _accessExternalDTD; |
|
314 } |
319 } |
315 |
320 |
316 // Throw an exception for all other attributes |
321 // Throw an exception for all other attributes |
317 ErrorMsg err = new ErrorMsg(ErrorMsg.JAXP_INVALID_ATTR_ERR, name); |
322 ErrorMsg err = new ErrorMsg(ErrorMsg.JAXP_INVALID_ATTR_ERR, name); |
318 throw new IllegalArgumentException(err.toString()); |
323 throw new IllegalArgumentException(err.toString()); |
411 else if (value instanceof Integer) { |
416 else if (value instanceof Integer) { |
412 _indentNumber = ((Integer) value).intValue(); |
417 _indentNumber = ((Integer) value).intValue(); |
413 return; |
418 return; |
414 } |
419 } |
415 } |
420 } |
416 else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) { |
421 |
417 _accessExternalStylesheet = (String)value; |
422 int index = _xmlSecurityPropertyMgr.getIndex(name); |
418 return; |
423 if (index > -1) { |
419 } |
424 _xmlSecurityPropertyMgr.setValue(index, |
420 else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) { |
425 State.APIPROPERTY, (String)value); |
421 _accessExternalDTD = (String)value; |
426 _accessExternalDTD = _xmlSecurityPropertyMgr.getValue( |
|
427 Property.ACCESS_EXTERNAL_DTD); |
|
428 _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue( |
|
429 Property.ACCESS_EXTERNAL_STYLESHEET); |
422 return; |
430 return; |
423 } |
431 } |
424 |
432 |
425 // Throw an exception for all other attributes |
433 // Throw an exception for all other attributes |
426 final ErrorMsg err |
434 final ErrorMsg err |
464 ErrorMsg err = new ErrorMsg(ErrorMsg.JAXP_SECUREPROCESSING_FEATURE); |
472 ErrorMsg err = new ErrorMsg(ErrorMsg.JAXP_SECUREPROCESSING_FEATURE); |
465 throw new TransformerConfigurationException(err.toString()); |
473 throw new TransformerConfigurationException(err.toString()); |
466 } |
474 } |
467 _isNotSecureProcessing = !value; |
475 _isNotSecureProcessing = !value; |
468 |
476 |
469 // set restriction, allowing no access to external stylesheet |
477 // set external access restriction when FSP is explicitly set |
470 if (value) { |
478 if (value && XalanConstants.IS_JDK8_OR_ABOVE) { |
471 _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP; |
479 _xmlSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_DTD, |
472 _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP; |
480 State.FSP, XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP); |
473 } |
481 _xmlSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_STYLESHEET, |
|
482 State.FSP, XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP); |
|
483 _accessExternalDTD = _xmlSecurityPropertyMgr.getValue( |
|
484 Property.ACCESS_EXTERNAL_DTD); |
|
485 _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue( |
|
486 Property.ACCESS_EXTERNAL_STYLESHEET); |
|
487 } |
|
488 |
474 return; |
489 return; |
475 } |
490 } |
476 else if (name.equals(XalanConstants.ORACLE_FEATURE_SERVICE_MECHANISM)) { |
491 else if (name.equals(XalanConstants.ORACLE_FEATURE_SERVICE_MECHANISM)) { |
477 //in secure mode, let _useServicesMechanism be determined by the constructor |
492 //in secure mode, let _useServicesMechanism be determined by the constructor |
478 if (!_isSecureMode) |
493 if (!_isSecureMode) |