--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Mon Jul 29 14:07:44 2013 +0100
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Wed Jul 31 00:37:01 2013 -0700
@@ -30,8 +30,9 @@
import com.sun.org.apache.xerces.internal.util.*;
import com.sun.org.apache.xerces.internal.util.URI;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
-import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
import com.sun.org.apache.xerces.internal.xni.XNIException;
@@ -174,7 +175,6 @@
/** access external dtd: file protocol */
static final String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT;
-
// recognized features and properties
/** Recognized features. */
@@ -307,6 +307,7 @@
/** used to restrict external access */
protected String fAccessExternalDTD = EXTERNAL_ACCESS_DEFAULT;
+
// settings
/**
@@ -324,10 +325,13 @@
*/
protected int fBufferSize = DEFAULT_BUFFER_SIZE;
- // stores defaults for entity expansion limit if it has
- // been set on the configuration.
+ /** Security Manager */
protected XMLSecurityManager fSecurityManager = null;
+ protected XMLLimitAnalyzer fLimitAnalyzer = null;
+
+ protected int entityExpansionIndex;
+
/**
* True if the document entity is standalone. This should really
* only be set by the document source (e.g. XMLDocumentScanner).
@@ -352,10 +356,6 @@
/** XML 1.1 entity scanner. */
protected XMLEntityScanner fXML11EntityScanner;
- /** entity expansion limit (contains useful data if and only if
- fSecurityManager is non-null) */
- protected int fEntityExpansionLimit = 0;
-
/** count of entities expanded: */
protected int fEntityExpansionCount = 0;
@@ -833,6 +833,9 @@
fCurrentEntity.setEncodingExternallySpecified(encodingExternallySpecified);
fEntityScanner.setCurrentEntity(fCurrentEntity);
fResourceIdentifier.setValues(publicId, literalSystemId, baseSystemId, expandedSystemId);
+ if (fLimitAnalyzer != null) {
+ fLimitAnalyzer.startEntity(name);
+ }
return encoding;
} //setupCurrentEntity(String, XMLInputSource, boolean, boolean): String
@@ -1294,10 +1297,13 @@
//expansions exceeds the entity expansion limit, parser will throw fatal error.
// Note that this represents the nesting level of open entities.
fEntityExpansionCount++;
- if( fSecurityManager != null && fEntityExpansionCount > fEntityExpansionLimit ){
- fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN,
- "EntityExpansionLimitExceeded",
- new Object[]{new Integer(fEntityExpansionLimit) },
+ if(fLimitAnalyzer != null) {
+ fLimitAnalyzer.addValue(entityExpansionIndex, name, 1);
+ }
+ if( fSecurityManager != null && fSecurityManager.isOverLimit(entityExpansionIndex)){
+ fSecurityManager.debugPrint();
+ fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN,"EntityExpansionLimitExceeded",
+ new Object[]{fSecurityManager.getLimitValueByIndex(entityExpansionIndex)},
XMLErrorReporter.SEVERITY_FATAL_ERROR );
// is there anything better to do than reset the counter?
// at least one can envision debugging applications where this might
@@ -1361,6 +1367,12 @@
if(fCurrentEntity != null){
//close the reader
try{
+ if (fLimitAnalyzer != null) {
+ fLimitAnalyzer.endEntity(XMLSecurityManager.Limit.GENEAL_ENTITY_SIZE_LIMIT, fCurrentEntity.name);
+ if (fCurrentEntity.name.equals("[xml]")) {
+ fSecurityManager.debugPrint();
+ }
+ }
fCurrentEntity.close();
}catch(IOException ex){
throw new XNIException(ex);
@@ -1426,6 +1438,9 @@
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
+ fSecurityManager = (XMLSecurityManager)propertyManager.getProperty(SECURITY_MANAGER);
+ fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
+
// initialize state
//fStandalone = false;
fEntities.clear();
@@ -1486,6 +1501,8 @@
fStaxEntityResolver = (StaxEntityResolverWrapper)componentManager.getProperty(STAX_ENTITY_RESOLVER, null);
fValidationManager = (ValidationManager)componentManager.getProperty(VALIDATION_MANAGER, null);
fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER, null);
+ fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
+ entityExpansionIndex = fSecurityManager.getIndex(Constants.JDK_ENTITY_EXPANSION_LIMIT);
// JAXP 1.5 feature
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER, null);
@@ -1506,9 +1523,6 @@
// a class acting as a component manager but not
// implementing that interface for whatever reason.
public void reset() {
- fEntityExpansionLimit = (fSecurityManager != null)?
- fSecurityManager.getLimit(XMLSecurityManager.Limit.ENTITY_EXPANSION_LIMIT):0;
-
// initialize state
fStandalone = false;
@@ -1645,9 +1659,7 @@
if (suffixLength == Constants.SECURITY_MANAGER_PROPERTY.length() &&
propertyId.endsWith(Constants.SECURITY_MANAGER_PROPERTY)) {
fSecurityManager = (XMLSecurityManager)value;
- fEntityExpansionLimit = (fSecurityManager != null)?
- fSecurityManager.getLimit(XMLSecurityManager.Limit.ENTITY_EXPANSION_LIMIT):0;
-
+ fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
}
}
@@ -1656,9 +1668,8 @@
{
XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)value;
fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
+ }
}
- }
-
/**
* Returns a list of property identifiers that are recognized by
* this component. This method may return null if no properties