--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Mon May 06 18:50:16 2013 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Wed May 08 23:38:03 2013 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2006, 2013 Oracle and/or its affiliates. All rights reserved.
*/
/*
@@ -20,51 +20,37 @@
package com.sun.org.apache.xerces.internal.impl ;
+import com.sun.org.apache.xerces.internal.impl.Constants;
+import com.sun.org.apache.xerces.internal.impl.io.ASCIIReader;
+import com.sun.org.apache.xerces.internal.impl.io.UCSReader;
+import com.sun.org.apache.xerces.internal.impl.io.UTF8Reader;
+import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
+import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler;
+import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager;
+import com.sun.org.apache.xerces.internal.util.*;
+import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.util.URI;
+import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.xni.Augmentations;
+import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
+import com.sun.org.apache.xerces.internal.xni.XNIException;
+import com.sun.org.apache.xerces.internal.xni.parser.*;
+import com.sun.xml.internal.stream.Entity;
import com.sun.xml.internal.stream.StaxEntityResolverWrapper;
import com.sun.xml.internal.stream.StaxXMLInputSource;
import com.sun.xml.internal.stream.XMLEntityStorage;
import java.io.*;
-import java.io.BufferedReader;
-import java.util.*;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.Reader;
-import java.io.StringReader;
import java.lang.reflect.Method;
import java.net.HttpURLConnection;
+import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLConnection;
-import java.net.URISyntaxException;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Stack;
-
-
-import com.sun.org.apache.xerces.internal.impl.io.*;
-import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.*;
-import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
-import com.sun.org.apache.xerces.internal.xni.XNIException;
-import com.sun.org.apache.xerces.internal.xni.parser.*;
-import com.sun.org.apache.xerces.internal.impl.Constants;
-import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
-import com.sun.xml.internal.stream.Entity;
-import com.sun.org.apache.xerces.internal.xni.Augmentations;
-
-import com.sun.org.apache.xerces.internal.impl.io.UTF8Reader;
-import com.sun.org.apache.xerces.internal.impl.io.ASCIIReader;
-import com.sun.org.apache.xerces.internal.impl.io.UCSReader;
-import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler;
-import com.sun.org.apache.xerces.internal.util.HTTPInputSource;
-import com.sun.org.apache.xerces.internal.xinclude.XIncludeHandler;
-
-import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
-import com.sun.org.apache.xerces.internal.util.URI;
+import javax.xml.XMLConstants;
/**
@@ -140,6 +126,10 @@
protected static final String WARN_ON_DUPLICATE_ENTITYDEF =
Constants.XERCES_FEATURE_PREFIX +Constants.WARN_ON_DUPLICATE_ENTITYDEF_FEATURE;
+ /** Feature identifier: load external DTD. */
+ protected static final String LOAD_EXTERNAL_DTD =
+ Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE;
+
// property identifiers
/** Property identifier: symbol table. */
@@ -173,8 +163,16 @@
protected static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
-protected static final String PARSER_SETTINGS =
+ protected static final String PARSER_SETTINGS =
Constants.XERCES_FEATURE_PREFIX + Constants.PARSER_SETTINGS;
+
+ /** property identifier: access external dtd. */
+ protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+
+ /** access external dtd: file protocol */
+ static final String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT;
+
+
// recognized features and properties
/** Recognized features. */
@@ -205,7 +203,7 @@
VALIDATION_MANAGER,
BUFFER_SIZE,
SECURITY_MANAGER,
-
+ ACCESS_EXTERNAL_DTD
};
/** Property defaults. */
@@ -215,7 +213,8 @@
null,
null,
new Integer(DEFAULT_BUFFER_SIZE),
- null
+ null,
+ EXTERNAL_ACCESS_DEFAULT
};
private static final String XMLEntity = "[xml]".intern();
@@ -274,6 +273,8 @@
*/
protected boolean fAllowJavaEncodings = true ;
+ /** Load external DTD. */
+ protected boolean fLoadExternalDTD = true;
// properties
@@ -302,7 +303,8 @@
/** Property Manager. This is used from Stax */
protected PropertyManager fPropertyManager ;
-
+ /** used to restrict external access */
+ protected String fAccessExternalDTD = EXTERNAL_ACCESS_DEFAULT;
// settings
/**
@@ -366,6 +368,9 @@
/** Current entity. */
protected Entity.ScannedEntity fCurrentEntity = null;
+ /** identify if the InputSource is created by a resolver */
+ boolean fISCreatedByResolver = false;
+
// shared context
protected XMLEntityStorage fEntityStorage ;
@@ -965,18 +970,25 @@
System.out.println("BEFORE Calling resolveEntity") ;
}
+ fISCreatedByResolver = false;
//either of Stax or Xerces would be null
if(fStaxEntityResolver != null){
staxInputSource = fStaxEntityResolver.resolveEntity(ri);
+ if(staxInputSource != null) {
+ fISCreatedByResolver = true;
+ }
}
if(fEntityResolver != null){
xmlInputSource = fEntityResolver.resolveEntity(ri);
+ if(xmlInputSource != null) {
+ fISCreatedByResolver = true;
+ }
}
if(xmlInputSource != null){
//wrap this XMLInputSource to StaxInputSource
- staxInputSource = new StaxXMLInputSource(xmlInputSource);
+ staxInputSource = new StaxXMLInputSource(xmlInputSource, fISCreatedByResolver);
}
// do default resolution
@@ -1108,7 +1120,13 @@
// should we skip external entities?
boolean external = entity.isExternal();
+ Entity.ExternalEntity externalEntity = null;
+ String extLitSysId = null, extBaseSysId = null, expandedSystemId = null;
if (external) {
+ externalEntity = (Entity.ExternalEntity)entity;
+ extLitSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getLiteralSystemId() : null);
+ extBaseSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getBaseSystemId() : null);
+ expandedSystemId = expandSystemId(extLitSysId, extBaseSysId);
boolean unparsed = entity.isUnparsed();
boolean parameter = entityName.startsWith("%");
boolean general = !parameter;
@@ -1118,13 +1136,6 @@
if (fEntityHandler != null) {
fResourceIdentifier.clear();
final String encoding = null;
- Entity.ExternalEntity externalEntity = (Entity.ExternalEntity)entity;
- //REVISIT: since we're storing expandedSystemId in the
- // externalEntity, how could this have got here if it wasn't already
- // expanded??? - neilg
- String extLitSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getLiteralSystemId() : null);
- String extBaseSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getBaseSystemId() : null);
- String expandedSystemId = expandSystemId(extLitSysId, extBaseSysId);
fResourceIdentifier.setValues(
(externalEntity.entityLocation != null ? externalEntity.entityLocation.getPublicId() : null),
extLitSysId, extBaseSysId, expandedSystemId);
@@ -1162,11 +1173,6 @@
fResourceIdentifier.clear();
final String encoding = null;
if (external) {
- Entity.ExternalEntity externalEntity = (Entity.ExternalEntity)entity;
- // REVISIT: for the same reason above...
- String extLitSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getLiteralSystemId() : null);
- String extBaseSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getBaseSystemId() : null);
- String expandedSystemId = expandSystemId(extLitSysId, extBaseSysId);
fResourceIdentifier.setValues(
(externalEntity.entityLocation != null ? externalEntity.entityLocation.getPublicId() : null),
extLitSysId, extBaseSysId, expandedSystemId);
@@ -1188,7 +1194,6 @@
XMLInputSource xmlInputSource = null ;
if (external) {
- Entity.ExternalEntity externalEntity = (Entity.ExternalEntity)entity;
staxInputSource = resolveEntityAsPerStax(externalEntity.entityLocation);
/** xxx: Waiting from the EG
* //simply return if there was entity resolver registered and application
@@ -1196,6 +1201,18 @@
* if(staxInputSource.hasXMLStreamOrXMLEventReader()) return ;
*/
xmlInputSource = staxInputSource.getXMLInputSource() ;
+ if (!fISCreatedByResolver) {
+ //let the not-LoadExternalDTD or not-SupportDTD process to handle the situation
+ if (fLoadExternalDTD) {
+ String accessError = SecuritySupport.checkAccess(expandedSystemId, fAccessExternalDTD, Constants.ACCESS_EXTERNAL_ALL);
+ if (accessError != null) {
+ fErrorReporter.reportError(this.getEntityScanner(),XMLMessageFormatter.XML_DOMAIN,
+ "AccessExternalEntity",
+ new Object[] { SecuritySupport.sanitizePath(expandedSystemId), accessError },
+ XMLErrorReporter.SEVERITY_FATAL_ERROR);
+ }
+ }
+ }
}
// wrap internal entity
else {
@@ -1400,6 +1417,12 @@
fStaxEntityResolver = null;
}
+ // Zephyr feature ignore-external-dtd is the opposite of Xerces' load-external-dtd
+ fLoadExternalDTD = !((Boolean)propertyManager.getProperty(Constants.ZEPHYR_PROPERTY_PREFIX + Constants.IGNORE_EXTERNAL_DTD)).booleanValue();
+
+ // JAXP 1.5 feature
+ fAccessExternalDTD = (String) propertyManager.getProperty(ACCESS_EXTERNAL_DTD);
+
// initialize state
//fStandalone = false;
fEntities.clear();
@@ -1409,8 +1432,6 @@
fExternalGeneralEntities = true;
fExternalParameterEntities = true;
fAllowJavaEncodings = true ;
-
- //test();
}
/**
@@ -1453,6 +1474,7 @@
fAllowJavaEncodings = componentManager.getFeature(ALLOW_JAVA_ENCODINGS, false);
fWarnDuplicateEntityDef = componentManager.getFeature(WARN_ON_DUPLICATE_ENTITYDEF, false);
fStrictURI = componentManager.getFeature(STANDARD_URI_CONFORMANT, false);
+ fLoadExternalDTD = componentManager.getFeature(LOAD_EXTERNAL_DTD, true);
// xerces properties
fSymbolTable = (SymbolTable)componentManager.getProperty(SYMBOL_TABLE);
@@ -1462,6 +1484,9 @@
fValidationManager = (ValidationManager)componentManager.getProperty(VALIDATION_MANAGER, null);
fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER, null);
+ // JAXP 1.5 feature
+ fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT);
+
//reset general state
reset();
@@ -1554,6 +1579,11 @@
featureId.endsWith(Constants.ALLOW_JAVA_ENCODINGS_FEATURE)) {
fAllowJavaEncodings = state;
}
+ if (suffixLength == Constants.LOAD_EXTERNAL_DTD_FEATURE.length() &&
+ featureId.endsWith(Constants.LOAD_EXTERNAL_DTD_FEATURE)) {
+ fLoadExternalDTD = state;
+ return;
+ }
}
} // setFeature(String,boolean)
@@ -1610,7 +1640,15 @@
}
}
+ //JAXP 1.5 properties
+ if (propertyId.startsWith(Constants.JAXPAPI_PROPERTY_PREFIX)) {
+ if (propertyId.equals(ACCESS_EXTERNAL_DTD))
+ {
+ fAccessExternalDTD = (String)value;
+ }
+ }
}
+
/**
* Returns a list of property identifiers that are recognized by
* this component. This method may return null if no properties