jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Mon Jul 29 14:07:44 2013 +0100
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Wed Jul 31 00:37:01 2013 -0700
@@ -27,6 +27,7 @@
import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
import com.sun.org.apache.xalan.internal.utils.ObjectFactory;
import com.sun.org.apache.xalan.internal.utils.SecuritySupport;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.Property;
import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.State;
@@ -218,13 +219,13 @@
* protocols allowed for external references set by the stylesheet processing instruction, Import and Include element.
*/
private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
-
/**
* protocols allowed for external DTD references in source file and/or stylesheet.
*/
private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
private XMLSecurityPropertyManager _xmlSecurityPropertyMgr;
+ private XMLSecurityManager _xmlSecurityManager;
/**
* javax.xml.transform.sax.TransformerFactory implementation.
@@ -250,6 +251,9 @@
Property.ACCESS_EXTERNAL_DTD);
_accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
Property.ACCESS_EXTERNAL_STYLESHEET);
+
+ //Parser's security manager
+ _xmlSecurityManager = new XMLSecurityManager(true);
}
/**
@@ -311,11 +315,21 @@
return Boolean.TRUE;
else
return Boolean.FALSE;
+ } else if (name.equals(XalanConstants.SECURITY_MANAGER)) {
+ return _xmlSecurityManager;
}
- int index = _xmlSecurityPropertyMgr.getIndex(name);
- if (index > -1) {
- return _xmlSecurityPropertyMgr.getValueByIndex(index);
+ /** Check to see if the property is managed by the security manager **/
+ String propertyValue = (_xmlSecurityManager != null) ?
+ _xmlSecurityManager.getLimitAsString(name) : null;
+ if (propertyValue != null) {
+ return propertyValue;
+ } else {
+ propertyValue = (_xmlSecurityPropertyMgr != null) ?
+ _xmlSecurityPropertyMgr.getValue(name) : null;
+ if (propertyValue != null) {
+ return propertyValue;
+ }
}
// Throw an exception for all other attributes
@@ -419,10 +433,13 @@
}
}
- int index = _xmlSecurityPropertyMgr.getIndex(name);
- if (index > -1) {
- _xmlSecurityPropertyMgr.setValue(index,
- State.APIPROPERTY, (String)value);
+ if (_xmlSecurityManager != null &&
+ _xmlSecurityManager.setLimit(name, XMLSecurityManager.State.APIPROPERTY, value)) {
+ return;
+ }
+
+ if (_xmlSecurityPropertyMgr != null &&
+ _xmlSecurityPropertyMgr.setValue(name, XMLSecurityPropertyManager.State.APIPROPERTY, value)) {
_accessExternalDTD = _xmlSecurityPropertyMgr.getValue(
Property.ACCESS_EXTERNAL_DTD);
_accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
@@ -473,6 +490,7 @@
throw new TransformerConfigurationException(err.toString());
}
_isNotSecureProcessing = !value;
+ _xmlSecurityManager.setSecureProcessing(value);
// set external access restriction when FSP is explicitly set
if (value && XalanConstants.IS_JDK8_OR_ABOVE) {
@@ -849,6 +867,7 @@
if (!_isNotSecureProcessing) xsltc.setSecureProcessing(true);
xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, _accessExternalStylesheet);
xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD);
+ xsltc.setProperty(XalanConstants.SECURITY_MANAGER, _xmlSecurityManager);
xsltc.init();
// Set a document loader (for xsl:include/import) if defined