--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Parser.java Mon May 06 18:50:16 2013 +0200
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Parser.java Wed May 08 23:38:03 2013 -0700
@@ -23,6 +23,16 @@
package com.sun.org.apache.xalan.internal.xsltc.compiler;
+import com.sun.java_cup.internal.runtime.Symbol;
+import com.sun.org.apache.xalan.internal.XalanConstants;
+import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
+import com.sun.org.apache.xalan.internal.utils.ObjectFactory;
+import com.sun.org.apache.xalan.internal.utils.SecuritySupport;
+import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg;
+import com.sun.org.apache.xalan.internal.xsltc.compiler.util.MethodType;
+import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Type;
+import com.sun.org.apache.xalan.internal.xsltc.compiler.util.TypeCheckError;
+import com.sun.org.apache.xml.internal.serializer.utils.SystemIDResolver;
import java.io.File;
import java.io.IOException;
import java.io.StringReader;
@@ -33,27 +43,18 @@
import java.util.Stack;
import java.util.StringTokenizer;
import java.util.Vector;
-
-import com.sun.java_cup.internal.runtime.Symbol;
import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
-
-import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg;
-import com.sun.org.apache.xalan.internal.xsltc.compiler.util.MethodType;
-import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Type;
-import com.sun.org.apache.xalan.internal.xsltc.compiler.util.TypeCheckError;
-import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
-import com.sun.org.apache.xalan.internal.utils.ObjectFactory;
import org.xml.sax.Attributes;
-import org.xml.sax.helpers.AttributesImpl;
import org.xml.sax.ContentHandler;
import org.xml.sax.InputSource;
import org.xml.sax.Locator;
import org.xml.sax.SAXException;
import org.xml.sax.SAXParseException;
import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.AttributesImpl;
/**
* @author Jacek Ambroziak
@@ -475,6 +476,8 @@
factory.setNamespaceAware(true);
}
final SAXParser parser = factory.newSAXParser();
+ parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,
+ _xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD));
final XMLReader reader = parser.getXMLReader();
return(parse(reader, input));
}
@@ -547,6 +550,25 @@
return(element);
}
else {
+ try {
+ String path = _target;
+ if (path.indexOf(":")==-1) {
+ path = "file:" + path;
+ }
+ path = SystemIDResolver.getAbsoluteURI(path);
+ String accessError = SecuritySupport.checkAccess(path,
+ _xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET),
+ XalanConstants.ACCESS_EXTERNAL_ALL);
+ if (accessError != null) {
+ ErrorMsg msg = new ErrorMsg(ErrorMsg.ACCESSING_XSLT_TARGET_ERR,
+ SecuritySupport.sanitizePath(_target), accessError,
+ root);
+ throw new CompilerException(msg.toString());
+ }
+ } catch (IOException ex) {
+ throw new CompilerException(ex);
+ }
+
return(loadExternalStylesheet(_target));
}
}