--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java Tue Jul 09 16:34:52 2013 -0700
@@ -37,6 +37,9 @@
import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
import com.sun.org.apache.xerces.internal.parsers.DOMParser;
import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.Property;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.State;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -97,12 +100,17 @@
private static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
+
/** property identifier: access external dtd. */
public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: access to external schema */
public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
+
private final DOMParser domParser;
private final Schema grammar;
@@ -117,6 +125,8 @@
/** Initial EntityResolver */
private final EntityResolver fInitEntityResolver;
+ private XMLSecurityPropertyManager fSecurityPropertyMgr;
+
DocumentBuilderImpl(DocumentBuilderFactoryImpl dbf, Hashtable dbfAttrs, Hashtable features)
throws SAXNotRecognizedException, SAXNotSupportedException {
this(dbf, dbfAttrs, features, false);
@@ -160,23 +170,27 @@
domParser.setFeature(XINCLUDE_FEATURE, true);
}
+ fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+ domParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
+
// If the secure processing feature is on set a security manager.
if (secureProcessing) {
domParser.setProperty(SECURITY_MANAGER, new SecurityManager());
/**
- * By default, secure processing is set, no external access is allowed.
- * However, we need to check if it is actively set on the factory since we
- * allow the use of the System Property or jaxp.properties to override
- * the default value
+ * If secure processing is explicitly set on the factory, the
+ * access properties will be set unless the corresponding
+ * System Properties or jaxp.properties are set
*/
if (features != null) {
Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING);
if (temp != null) {
boolean value = ((Boolean) temp).booleanValue();
- if (value) {
- domParser.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
- domParser.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ if (value && Constants.IS_JDK8_OR_ABOVE) {
+ fSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_DTD,
+ State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ fSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_SCHEMA,
+ State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
}
}
}
@@ -220,7 +234,7 @@
setFeatures(features);
}
- // Set attributes
+ //setAttribute override those that may be set by other means
setDocumentBuilderFactoryAttributes(dbfAttrs);
// Initial EntityResolver
@@ -275,26 +289,32 @@
// spec when schema validation is enabled
domParser.setProperty(JAXP_SCHEMA_LANGUAGE, W3C_XML_SCHEMA);
}
- }
- } else if(JAXP_SCHEMA_SOURCE.equals(name)){
- if( isValidating() ) {
- String value=(String)dbfAttrs.get(JAXP_SCHEMA_LANGUAGE);
- if(value !=null && W3C_XML_SCHEMA.equals(value)){
- domParser.setProperty(name, val);
- }else{
+ }
+ } else if(JAXP_SCHEMA_SOURCE.equals(name)){
+ if( isValidating() ) {
+ String value=(String)dbfAttrs.get(JAXP_SCHEMA_LANGUAGE);
+ if(value !=null && W3C_XML_SCHEMA.equals(value)){
+ domParser.setProperty(name, val);
+ }else{
throw new IllegalArgumentException(
DOMMessageFormatter.formatMessage(DOMMessageFormatter.DOM_DOMAIN,
"jaxp-order-not-supported",
new Object[] {JAXP_SCHEMA_LANGUAGE, JAXP_SCHEMA_SOURCE}));
- }
- }
- } else {
- // Let Xerces code handle the property
- domParser.setProperty(name, val);
- }
}
- }
+ }
+ } else {
+ int index = fSecurityPropertyMgr.getIndex(name);
+ if (index > -1) {
+ fSecurityPropertyMgr.setValue(index,
+ XMLSecurityPropertyManager.State.APIPROPERTY, (String)val);
+ } else {
+ // Let Xerces code handle the property
+ domParser.setProperty(name, val);
+ }
+ }
+ }
}
+ }
/**
* Non-preferred: use the getDOMImplementation() method instead of this