# HG changeset patch # User joehw # Date 1370363712 25200 # Node ID 4a8c5120a8d4635670ce2d1ca78bc3309bc937a3 # Parent af2995fcb150376c166166e5d84f369bd102dac0 8015630: Remove default restriction settings of jaxp 1.5 properties in JDK8 Reviewed-by: alanb diff -r af2995fcb150 -r 4a8c5120a8d4 jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java --- a/jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java Mon Jun 03 16:09:15 2013 -0700 +++ b/jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java Tue Jun 04 09:35:12 2013 -0700 @@ -80,59 +80,6 @@ /** * FEATURE_SECURE_PROCESSING (FSP) is false by default */ - public static final String EXTERNAL_ACCESS_DEFAULT = getExternalAccessDefault(false); - - /** - * Determine the default value of the external access properties - * - * jaxp 1.5 does not require implementations to restrict by default - * - * For JDK8: - * The default value is 'file' (including jar:file); The keyword "all" grants permission - * to all protocols. When {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is on, - * the default value is an empty string indicating no access is allowed. - * - * For JDK7: - * The default value is 'all' granting permission to all protocols. If by default, - * {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is true, it should - * not change the default value. However, if {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} - * is set explicitly, the values of the properties shall be set to an empty string - * indicating no access is allowed. - * - * @param isSecureProcessing indicating if Secure Processing is set - * @return default value - */ - public static String getExternalAccessDefault(boolean isSecureProcessing) { - String defaultValue = "all"; - if (isJDKandAbove(RESTRICT_BY_DEFAULT_JDK_VERSION)) { - defaultValue = "file"; - if (isSecureProcessing) { - defaultValue = EXTERNAL_ACCESS_DEFAULT_FSP; - } - } - return defaultValue; - } - - /* - * Check the version of the current JDK against that specified in the - * parameter - * - * There is a proposal to change the java version string to: - * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL - * This method would work with both the current format and that proposed - * - * @param compareTo a JDK version to be compared to - * @return true if the current version is the same or above that represented - * by the parameter - */ - public static boolean isJDKandAbove(int compareTo) { - String javaVersion = SecuritySupport.getSystemProperty("java.version"); - String versions[] = javaVersion.split("\\.", 3); - if (Integer.parseInt(versions[0]) >= compareTo || - Integer.parseInt(versions[1]) >= compareTo) { - return true; - } - return false; - } + public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL; } // class Constants diff -r af2995fcb150 -r 4a8c5120a8d4 jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java --- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Mon Jun 03 16:09:15 2013 -0700 +++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Tue Jun 04 09:35:12 2013 -0700 @@ -253,7 +253,6 @@ if (System.getSecurityManager() != null) { _isSecureMode = true; _isNotSecureProcessing = false; - defaultAccess = XalanConstants.getExternalAccessDefault(true); } _accessExternalStylesheet = SecuritySupport.getDefaultAccessProperty( XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET, defaultAccess); diff -r af2995fcb150 -r 4a8c5120a8d4 jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java --- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java Mon Jun 03 16:09:15 2013 -0700 +++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java Tue Jun 04 09:35:12 2013 -0700 @@ -202,7 +202,7 @@ /** * FEATURE_SECURE_PROCESSING (FSP) is true by default */ - public static final String EXTERNAL_ACCESS_DEFAULT = getExternalAccessDefault(true); + public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL; // // DOM features @@ -697,58 +697,6 @@ ? new ArrayEnumeration(fgXercesProperties) : fgEmptyEnumeration; } // getXercesProperties():Enumeration - /** - * Determine the default value of the external access properties - * - * jaxp 1.5 does not require implementations to restrict by default - * - * For JDK8: - * The default value is 'file' (including jar:file); The keyword "all" grants permission - * to all protocols. When {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is on, - * the default value is an empty string indicating no access is allowed. - * - * For JDK7: - * The default value is 'all' granting permission to all protocols. If by default, - * {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is true, it should - * not change the default value. However, if {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} - * is set explicitly, the values of the properties shall be set to an empty string - * indicating no access is allowed. - * - * @param isSecureProcessing indicating if Secure Processing is set - * @return default value - */ - public static String getExternalAccessDefault(boolean isSecureProcessing) { - String defaultValue = "all"; - if (isJDKandAbove(RESTRICT_BY_DEFAULT_JDK_VERSION)) { - defaultValue = "file"; - if (isSecureProcessing) { - defaultValue = EXTERNAL_ACCESS_DEFAULT_FSP; - } - } - return defaultValue; - } - - /* - * Check the version of the current JDK against that specified in the - * parameter - * - * There is a proposal to change the java version string to: - * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL - * This method would work with both the current format and that proposed - * - * @param compareTo a JDK version to be compared to - * @return true if the current version is the same or above that represented - * by the parameter - */ - public static boolean isJDKandAbove(int compareTo) { - String javaVersion = SecuritySupport.getSystemProperty("java.version"); - String versions[] = javaVersion.split("\\.", 3); - if (Integer.parseInt(versions[0]) >= compareTo || - Integer.parseInt(versions[1]) >= compareTo) { - return true; - } - return false; - } // // Classes diff -r af2995fcb150 -r 4a8c5120a8d4 jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java --- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Mon Jun 03 16:09:15 2013 -0700 +++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Tue Jun 04 09:35:12 2013 -0700 @@ -364,10 +364,15 @@ SAXMessageFormatter.formatMessage(null, "jaxp-secureprocessing-feature", null)); } - fSecurityManager = value ? new SecurityManager() : null; + if (value) { + fSecurityManager = new SecurityManager(); + fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + } else { + fSecurityManager = null; + } + fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager); - fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); - fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); return; } else if (name.equals(Constants.ORACLE_FEATURE_SERVICE_MECHANISM)) { //in secure mode, let _useServicesMechanism be determined by the constructor