--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java	Mon May 06 18:50:16 2013 +0200
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java	Wed May 08 23:38:03 2013 -0700
@@ -225,6 +225,16 @@
     private boolean _useServicesMechanism;
 
     /**
+     * protocols allowed for external references set by the stylesheet processing instruction, Import and Include element.
+     */
+    private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
+     /**
+     * protocols allowed for external DTD references in source file and/or stylesheet.
+     */
+    private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
+
+
+    /**
      * javax.xml.transform.sax.TransformerFactory implementation.
      */
     public TransformerFactoryImpl() {
@@ -238,10 +248,17 @@
     private TransformerFactoryImpl(boolean useServicesMechanism) {
         this.m_DTMManagerClass = XSLTCDTMManager.getDTMManagerClass(useServicesMechanism);
         this._useServicesMechanism = useServicesMechanism;
+
+        String defaultAccess = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
         if (System.getSecurityManager() != null) {
             _isSecureMode = true;
             _isNotSecureProcessing = false;
+            defaultAccess = XalanConstants.getExternalAccessDefault(true);
         }
+        _accessExternalStylesheet =  SecuritySupport.getDefaultAccessProperty(
+                XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET, defaultAccess);
+        _accessExternalDTD =  SecuritySupport.getDefaultAccessProperty(
+                XalanConstants.SP_ACCESS_EXTERNAL_DTD, defaultAccess);
     }
 
     /**
@@ -301,6 +318,12 @@
             else
               return Boolean.FALSE;
         }
+        else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) {
+            return _accessExternalStylesheet;
+        }
+        else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
+            return _accessExternalDTD;
+        }
 
         // Throw an exception for all other attributes
         ErrorMsg err = new ErrorMsg(ErrorMsg.JAXP_INVALID_ATTR_ERR, name);
@@ -401,6 +424,14 @@
                 return;
             }
         }
+        else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) {
+            _accessExternalStylesheet = (String)value;
+            return;
+        }
+        else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
+            _accessExternalDTD = (String)value;
+            return;
+        }
 
         // Throw an exception for all other attributes
         final ErrorMsg err
@@ -444,7 +475,12 @@
                 throw new TransformerConfigurationException(err.toString());
             }
             _isNotSecureProcessing = !value;
-            // all done processing feature
+
+            // set restriction, allowing no access to external stylesheet
+            if (value) {
+                _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP;
+                _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP;
+            }
             return;
         }
         else if (name.equals(XalanConstants.ORACLE_FEATURE_SERVICE_MECHANISM)) {
@@ -799,6 +835,8 @@
                 xsltc.setTemplateInlining(false);
 
         if (!_isNotSecureProcessing) xsltc.setSecureProcessing(true);
+        xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, _accessExternalStylesheet);
+        xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD);
         xsltc.init();
 
         // Set a document loader (for xsl:include/import) if defined
@@ -880,15 +918,20 @@
 
         // Check that the transformation went well before returning
     if (bytecodes == null) {
-
         Vector errs = xsltc.getErrors();
         ErrorMsg err = null;
         if (errs != null) {
-            err = (ErrorMsg)errs.get(errs.size()-1);
+            err = (ErrorMsg)errs.elementAt(errs.size()-1);
         } else {
             err = new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR);
         }
-        TransformerConfigurationException exc =  new TransformerConfigurationException(err.toString(), err.getCause());
+        Throwable cause = err.getCause();
+        TransformerConfigurationException exc;
+        if (cause != null) {
+            exc =  new TransformerConfigurationException(cause.getMessage(), cause);
+        } else {
+            exc =  new TransformerConfigurationException(err.toString());
+        }
 
         // Pass compiler errors to the error listener
         if (_errorListener != null) {
changeset 17534	21dc0b2762da
parent 16953	a44e04deb948
child 17991	4a8c5120a8d4