jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Mon May 06 18:50:16 2013 +0200
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Wed May 08 23:38:03 2013 -0700
@@ -225,6 +225,16 @@
private boolean _useServicesMechanism;
/**
+ * protocols allowed for external references set by the stylesheet processing instruction, Import and Include element.
+ */
+ private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
+ /**
+ * protocols allowed for external DTD references in source file and/or stylesheet.
+ */
+ private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
+
+
+ /**
* javax.xml.transform.sax.TransformerFactory implementation.
*/
public TransformerFactoryImpl() {
@@ -238,10 +248,17 @@
private TransformerFactoryImpl(boolean useServicesMechanism) {
this.m_DTMManagerClass = XSLTCDTMManager.getDTMManagerClass(useServicesMechanism);
this._useServicesMechanism = useServicesMechanism;
+
+ String defaultAccess = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
if (System.getSecurityManager() != null) {
_isSecureMode = true;
_isNotSecureProcessing = false;
+ defaultAccess = XalanConstants.getExternalAccessDefault(true);
}
+ _accessExternalStylesheet = SecuritySupport.getDefaultAccessProperty(
+ XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET, defaultAccess);
+ _accessExternalDTD = SecuritySupport.getDefaultAccessProperty(
+ XalanConstants.SP_ACCESS_EXTERNAL_DTD, defaultAccess);
}
/**
@@ -301,6 +318,12 @@
else
return Boolean.FALSE;
}
+ else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) {
+ return _accessExternalStylesheet;
+ }
+ else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
+ return _accessExternalDTD;
+ }
// Throw an exception for all other attributes
ErrorMsg err = new ErrorMsg(ErrorMsg.JAXP_INVALID_ATTR_ERR, name);
@@ -401,6 +424,14 @@
return;
}
}
+ else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) {
+ _accessExternalStylesheet = (String)value;
+ return;
+ }
+ else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
+ _accessExternalDTD = (String)value;
+ return;
+ }
// Throw an exception for all other attributes
final ErrorMsg err
@@ -444,7 +475,12 @@
throw new TransformerConfigurationException(err.toString());
}
_isNotSecureProcessing = !value;
- // all done processing feature
+
+ // set restriction, allowing no access to external stylesheet
+ if (value) {
+ _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP;
+ _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP;
+ }
return;
}
else if (name.equals(XalanConstants.ORACLE_FEATURE_SERVICE_MECHANISM)) {
@@ -799,6 +835,8 @@
xsltc.setTemplateInlining(false);
if (!_isNotSecureProcessing) xsltc.setSecureProcessing(true);
+ xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, _accessExternalStylesheet);
+ xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD);
xsltc.init();
// Set a document loader (for xsl:include/import) if defined
@@ -880,15 +918,20 @@
// Check that the transformation went well before returning
if (bytecodes == null) {
-
Vector errs = xsltc.getErrors();
ErrorMsg err = null;
if (errs != null) {
- err = (ErrorMsg)errs.get(errs.size()-1);
+ err = (ErrorMsg)errs.elementAt(errs.size()-1);
} else {
err = new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR);
}
- TransformerConfigurationException exc = new TransformerConfigurationException(err.toString(), err.getCause());
+ Throwable cause = err.getCause();
+ TransformerConfigurationException exc;
+ if (cause != null) {
+ exc = new TransformerConfigurationException(cause.getMessage(), cause);
+ } else {
+ exc = new TransformerConfigurationException(err.toString());
+ }
// Pass compiler errors to the error listener
if (_errorListener != null) {