jdk-sandbox: comparison jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java

equal deleted inserted replaced

-:93a2cadbbd33
+:21dc0b2762da
 import com.sun.org.apache.xerces.internal.util.StAXLocationWrapper;
 import com.sun.org.apache.xerces.internal.util.SymbolHash;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
 import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
+import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
 import com.sun.org.apache.xerces.internal.xni.QName;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
 import com.sun.org.apache.xerces.internal.xs.XSParticle;
 import com.sun.org.apache.xerces.internal.xs.XSSimpleTypeDefinition;
 import com.sun.org.apache.xerces.internal.xs.XSTerm;
 import com.sun.org.apache.xerces.internal.xs.XSTypeDefinition;
 import com.sun.org.apache.xerces.internal.xs.datatypes.ObjectList;
+import javax.xml.XMLConstants;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 /** Property identifier: locale. */
 protected static final String LOCALE =
 Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY;
+/** property identifier: access external dtd. */
+public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+/** Property identifier: access to external schema */
+public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
 protected static final boolean DEBUG_NODE_POOL = false;
 // Data
 // different sorts of declarations; should make lookup and
 * <p>Security manager in effect.</p>
 *
 * <p>Protected to allow access by any traverser.</p>
 */
 protected SecurityManager fSecureProcessing = null;
+private String fAccessExternalSchema;
 // These tables correspond to the symbol spaces defined in the
 // spec.
 // They are keyed with a QName (that is, String("URI,localpart) and
 // their values are nodes corresponding to the given name's decl.
 key = new XSDKey(schemaId, referType, schemaNamespace);
 if((schemaElement = (Element)fTraversed.get(key)) != null) {
 fLastSchemaWasDuplicate = true;
 return schemaElement;
 }
+if (referType == XSDDescription.CONTEXT_IMPORT || referType == XSDDescription.CONTEXT_INCLUDE
+|| referType == XSDDescription.CONTEXT_REDEFINE) {
+String accessError = SecuritySupport.checkAccess(schemaId, fAccessExternalSchema, Constants.ACCESS_EXTERNAL_ALL);
+if (accessError != null) {
+reportSchemaFatalError("schema_reference.access",
+new Object[] { SecuritySupport.sanitizePath(schemaId), accessError },
+referElement);
+}
+}
 }
 fSchemaParser.parse(schemaSource);
 Document schemaDocument = fSchemaParser.getDocument();
 schemaElement = schemaDocument != null ? DOMUtil.getRoot(schemaDocument) : null;
 fSchemaParser.setProperty(SECURITY_MANAGER, security);
 }
 } catch (XMLConfigurationException e) {
 }
+//For Schema validation, the secure feature is set to true by default
+fSchemaParser.setProperty(ACCESS_EXTERNAL_DTD,
+componentManager.getProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT));
+fAccessExternalSchema = (String) componentManager.getProperty(
+ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
 } // reset(XMLComponentManager)
 /**
 * Traverse all the deferred local elements. This method should be called

changeset 17534	21dc0b2762da
parent 12457	c348e06f0e82
child 18890	25bdeca3173b
child 20964	a5cd729f176d