8016648: FEATURE_SECURE_PROCESSING set to true or false causes SAXParseException to be thrown
Summary: jaxp 1.5 feature update
Reviewed-by: alanb, dfuchs, lancea
--- a/jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java Tue Jul 09 16:34:52 2013 -0700
@@ -73,13 +73,39 @@
* Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true
*/
public static final String EXTERNAL_ACCESS_DEFAULT_FSP = "";
- /**
- * JDK version by which the default is to restrict external connection
- */
- public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8;
+
/**
* FEATURE_SECURE_PROCESSING (FSP) is false by default
*/
public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL;
+ public static final String XML_SECURITY_PROPERTY_MANAGER =
+ ORACLE_JAXP_PROPERTY_PREFIX + "xmlSecurityPropertyManager";
+
+ /**
+ * Check if we're in jdk8 or above
+ */
+ public static final boolean IS_JDK8_OR_ABOVE = isJavaVersionAtLeast(8);
+
+ /*
+ * Check the version of the current JDK against that specified in the
+ * parameter
+ *
+ * There is a proposal to change the java version string to:
+ * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL
+ * This method would work with both the current format and that proposed
+ *
+ * @param compareTo a JDK version to be compared to
+ * @return true if the current version is the same or above that represented
+ * by the parameter
+ */
+ public static boolean isJavaVersionAtLeast(int compareTo) {
+ String javaVersion = SecuritySupport.getSystemProperty("java.version");
+ String versions[] = javaVersion.split("\\.", 3);
+ if (Integer.parseInt(versions[0]) >= compareTo ||
+ Integer.parseInt(versions[1]) >= compareTo) {
+ return true;
+ }
+ return false;
+ }
} // class Constants
--- a/jaxp/src/com/sun/org/apache/xalan/internal/utils/SecuritySupport.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/utils/SecuritySupport.java Tue Jul 09 16:34:52 2013 -0700
@@ -229,7 +229,8 @@
* @return the name of the protocol if rejected, null otherwise
*/
public static String checkAccess(String systemId, String allowedProtocols, String accessAny) throws IOException {
- if (systemId == null || allowedProtocols.equalsIgnoreCase(accessAny)) {
+ if (systemId == null || (allowedProtocols != null &&
+ allowedProtocols.equalsIgnoreCase(accessAny))) {
return null;
}
@@ -262,6 +263,9 @@
* @return true if the protocol is in the list
*/
private static boolean isProtocolAllowed(String protocol, String allowedProtocols) {
+ if (allowedProtocols == null) {
+ return false;
+ }
String temp[] = allowedProtocols.split(",");
for (String t : temp) {
t = t.trim();
@@ -273,18 +277,16 @@
}
/**
- * Read from $java.home/lib/jaxp.properties for the specified property
+ * Read JAXP system property in this order: system property,
+ * $java.home/lib/jaxp.properties if the system property is not specified
*
* @param propertyId the Id of the property
* @return the value of the property
*/
- public static String getDefaultAccessProperty(String sysPropertyId, String defaultVal) {
- String accessExternal = SecuritySupport.getSystemProperty(sysPropertyId);
+ public static String getJAXPSystemProperty(String sysPropertyId) {
+ String accessExternal = getSystemProperty(sysPropertyId);
if (accessExternal == null) {
accessExternal = readJAXPProperty(sysPropertyId);
- if (accessExternal == null) {
- accessExternal = defaultVal;
- }
}
return accessExternal;
}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityPropertyManager.java Tue Jul 09 16:34:52 2013 -0700
@@ -0,0 +1,192 @@
+/*
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.sun.org.apache.xalan.internal.utils;
+
+
+import com.sun.org.apache.xalan.internal.XalanConstants;
+import javax.xml.XMLConstants;
+
+/**
+ * This class manages security related properties
+ *
+ */
+public final class XMLSecurityPropertyManager {
+
+ /**
+ * States of the settings of a property, in the order: default value, value
+ * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
+ * properties, and jaxp api properties
+ */
+ public static enum State {
+ //this order reflects the overriding order
+ DEFAULT, FSP, JAXPDOTPROPERTIES, SYSTEMPROPERTY, APIPROPERTY
+ }
+
+ /**
+ * Limits managed by the security manager
+ */
+ public static enum Property {
+ ACCESS_EXTERNAL_DTD(XMLConstants.ACCESS_EXTERNAL_DTD,
+ XalanConstants.EXTERNAL_ACCESS_DEFAULT),
+ ACCESS_EXTERNAL_STYLESHEET(XMLConstants.ACCESS_EXTERNAL_STYLESHEET,
+ XalanConstants.EXTERNAL_ACCESS_DEFAULT);
+
+ final String name;
+ final String defaultValue;
+
+ Property(String name, String value) {
+ this.name = name;
+ this.defaultValue = value;
+ }
+
+ public boolean equalsName(String propertyName) {
+ return (propertyName == null) ? false : name.equals(propertyName);
+ }
+
+ String defaultValue() {
+ return defaultValue;
+ }
+ }
+
+
+ /**
+ * Values of the properties as defined in enum Properties
+ */
+ private final String[] values;
+ /**
+ * States of the settings for each property in Properties above
+ */
+ private State[] states = {State.DEFAULT, State.DEFAULT};
+
+ /**
+ * Default constructor. Establishes default values
+ */
+ public XMLSecurityPropertyManager() {
+ values = new String[Property.values().length];
+ for (Property property : Property.values()) {
+ values[property.ordinal()] = property.defaultValue();
+ }
+ //read system properties or jaxp.properties
+ readSystemProperties();
+ }
+
+ /**
+ * Set the value for a specific property.
+ *
+ * @param property the property
+ * @param state the state of the property
+ * @param value the value of the property
+ */
+ public void setValue(Property property, State state, String value) {
+ //only update if it shall override
+ if (state.compareTo(states[property.ordinal()]) >= 0) {
+ values[property.ordinal()] = value;
+ states[property.ordinal()] = state;
+ }
+ }
+
+ /**
+ * Set the value of a property by its index
+ * @param index the index of the property
+ * @param state the state of the property
+ * @param value the value of the property
+ */
+ public void setValue(int index, State state, String value) {
+ //only update if it shall override
+ if (state.compareTo(states[index]) >= 0) {
+ values[index] = value;
+ states[index] = state;
+ }
+ }
+ /**
+ * Return the value of the specified property
+ *
+ * @param property the property
+ * @return the value of the property
+ */
+ public String getValue(Property property) {
+ return values[property.ordinal()];
+ }
+
+ /**
+ * Return the value of a property by its ordinal
+ * @param index the index of a property
+ * @return value of a property
+ */
+ public String getValueByIndex(int index) {
+ return values[index];
+ }
+
+ /**
+ * Get the index by property name
+ * @param propertyName property name
+ * @return the index of the property if found; return -1 if not
+ */
+ public int getIndex(String propertyName){
+ for (Property property : Property.values()) {
+ if (property.equalsName(propertyName)) {
+ //internally, ordinal is used as index
+ return property.ordinal();
+ }
+ }
+ return -1;
+ }
+
+ /**
+ * Read from system properties, or those in jaxp.properties
+ */
+ private void readSystemProperties() {
+ getSystemProperty(Property.ACCESS_EXTERNAL_DTD,
+ XalanConstants.SP_ACCESS_EXTERNAL_DTD);
+ getSystemProperty(Property.ACCESS_EXTERNAL_STYLESHEET,
+ XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET);
+ }
+
+ /**
+ * Read from system properties, or those in jaxp.properties
+ *
+ * @param property the property
+ * @param systemProperty the name of the system property
+ */
+ private void getSystemProperty(Property property, String systemProperty) {
+ try {
+ String value = SecuritySupport.getSystemProperty(systemProperty);
+ if (value != null) {
+ values[property.ordinal()] = value;
+ states[property.ordinal()] = State.SYSTEMPROPERTY;
+ return;
+ }
+
+ value = SecuritySupport.readJAXPProperty(systemProperty);
+ if (value != null) {
+ values[property.ordinal()] = value;
+ states[property.ordinal()] = State.JAXPDOTPROPERTIES;
+ }
+ } catch (NumberFormatException e) {
+ //invalid setting ignored
+ }
+ }
+}
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Tue Jul 09 16:34:52 2013 -0700
@@ -27,6 +27,9 @@
import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
import com.sun.org.apache.xalan.internal.utils.ObjectFactory;
import com.sun.org.apache.xalan.internal.utils.SecuritySupport;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.Property;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.State;
import com.sun.org.apache.xalan.internal.xsltc.compiler.Constants;
import com.sun.org.apache.xalan.internal.xsltc.compiler.SourceLoader;
import com.sun.org.apache.xalan.internal.xsltc.compiler.XSLTC;
@@ -215,11 +218,13 @@
* protocols allowed for external references set by the stylesheet processing instruction, Import and Include element.
*/
private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
+
/**
* protocols allowed for external DTD references in source file and/or stylesheet.
*/
private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
+ private XMLSecurityPropertyManager _xmlSecurityPropertyMgr;
/**
* javax.xml.transform.sax.TransformerFactory implementation.
@@ -235,15 +240,16 @@
private TransformerFactoryImpl(boolean useServicesMechanism) {
this._useServicesMechanism = useServicesMechanism;
- String defaultAccess = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
if (System.getSecurityManager() != null) {
_isSecureMode = true;
_isNotSecureProcessing = false;
}
- _accessExternalStylesheet = SecuritySupport.getDefaultAccessProperty(
- XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET, defaultAccess);
- _accessExternalDTD = SecuritySupport.getDefaultAccessProperty(
- XalanConstants.SP_ACCESS_EXTERNAL_DTD, defaultAccess);
+
+ _xmlSecurityPropertyMgr = new XMLSecurityPropertyManager();
+ _accessExternalDTD = _xmlSecurityPropertyMgr.getValue(
+ Property.ACCESS_EXTERNAL_DTD);
+ _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
+ Property.ACCESS_EXTERNAL_STYLESHEET);
}
/**
@@ -306,11 +312,10 @@
else
return Boolean.FALSE;
}
- else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) {
- return _accessExternalStylesheet;
- }
- else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
- return _accessExternalDTD;
+
+ int index = _xmlSecurityPropertyMgr.getIndex(name);
+ if (index > -1) {
+ return _xmlSecurityPropertyMgr.getValueByIndex(index);
}
// Throw an exception for all other attributes
@@ -413,12 +418,15 @@
return;
}
}
- else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) {
- _accessExternalStylesheet = (String)value;
- return;
- }
- else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
- _accessExternalDTD = (String)value;
+
+ int index = _xmlSecurityPropertyMgr.getIndex(name);
+ if (index > -1) {
+ _xmlSecurityPropertyMgr.setValue(index,
+ State.APIPROPERTY, (String)value);
+ _accessExternalDTD = _xmlSecurityPropertyMgr.getValue(
+ Property.ACCESS_EXTERNAL_DTD);
+ _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
+ Property.ACCESS_EXTERNAL_STYLESHEET);
return;
}
@@ -466,11 +474,18 @@
}
_isNotSecureProcessing = !value;
- // set restriction, allowing no access to external stylesheet
- if (value) {
- _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP;
- _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP;
+ // set external access restriction when FSP is explicitly set
+ if (value && XalanConstants.IS_JDK8_OR_ABOVE) {
+ _xmlSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_DTD,
+ State.FSP, XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ _xmlSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_STYLESHEET,
+ State.FSP, XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ _accessExternalDTD = _xmlSecurityPropertyMgr.getValue(
+ Property.ACCESS_EXTERNAL_DTD);
+ _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
+ Property.ACCESS_EXTERNAL_STYLESHEET);
}
+
return;
}
else if (name.equals(XalanConstants.ORACLE_FEATURE_SERVICE_MECHANISM)) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java Tue Jul 09 16:34:52 2013 -0700
@@ -33,7 +33,7 @@
import com.sun.org.apache.xerces.internal.util.PropertyState;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.utils.ObjectFactory;
-import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler;
import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
@@ -156,13 +156,9 @@
protected static final String SCHEMA_DV_FACTORY =
Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY;
- /** Property identifier: access to external dtd */
- protected static final String ACCESS_EXTERNAL_DTD =
- XMLConstants.ACCESS_EXTERNAL_DTD;
-
- /** Property identifier: access to external schema */
- protected static final String ACCESS_EXTERNAL_SCHEMA =
- XMLConstants.ACCESS_EXTERNAL_SCHEMA;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
//
// Data
@@ -283,8 +279,7 @@
JAXP_SCHEMA_LANGUAGE,
DTD_VALIDATOR_FACTORY_PROPERTY,
SCHEMA_DV_FACTORY,
- ACCESS_EXTERNAL_DTD,
- ACCESS_EXTERNAL_SCHEMA
+ XML_SECURITY_PROPERTY_MANAGER
};
addRecognizedProperties(recognizedProperties);
@@ -318,14 +313,8 @@
fValidationManager = createValidationManager();
setProperty(VALIDATION_MANAGER, fValidationManager);
- //For DOM, the secure feature is set to true by default
- String accessExternal = SecuritySupport.getDefaultAccessProperty(
- Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT);
- setProperty(ACCESS_EXTERNAL_DTD, accessExternal);
-
- accessExternal = SecuritySupport.getDefaultAccessProperty(
- Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
- setProperty(ACCESS_EXTERNAL_SCHEMA, accessExternal);
+ setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER,
+ new XMLSecurityPropertyManager());
// add message formatters
if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java Tue Jul 09 16:34:52 2013 -0700
@@ -184,6 +184,9 @@
public static final String ORACLE_JAXP_PROPERTY_PREFIX =
"http://www.oracle.com/xml/jaxp/properties/";
+ public static final String XML_SECURITY_PROPERTY_MANAGER =
+ ORACLE_JAXP_PROPERTY_PREFIX + "xmlSecurityPropertyManager";
+
//System Properties corresponding to ACCESS_EXTERNAL_* properties
public static final String SP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD";
public static final String SP_ACCESS_EXTERNAL_SCHEMA = "javax.xml.accessExternalSchema";
@@ -194,16 +197,17 @@
* Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true
*/
public static final String EXTERNAL_ACCESS_DEFAULT_FSP = "";
- /**
- * JDK version by which the default is to restrict external connection
- */
- public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8;
/**
* FEATURE_SECURE_PROCESSING (FSP) is true by default
*/
public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL;
+ /**
+ * Check if we're in jdk8 or above
+ */
+ public static final boolean IS_JDK8_OR_ABOVE = isJavaVersionAtLeast(8);
+
//
// DOM features
//
@@ -697,6 +701,27 @@
? new ArrayEnumeration(fgXercesProperties) : fgEmptyEnumeration;
} // getXercesProperties():Enumeration
+ /*
+ * Check the version of the current JDK against that specified in the
+ * parameter
+ *
+ * There is a proposal to change the java version string to:
+ * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL
+ * This method would work with both the current format and that proposed
+ *
+ * @param compareTo a JDK version to be compared to
+ * @return true if the current version is the same or above that represented
+ * by the parameter
+ */
+ public static boolean isJavaVersionAtLeast(int compareTo) {
+ String javaVersion = SecuritySupport.getSystemProperty("java.version");
+ String versions[] = javaVersion.split("\\.", 3);
+ if (Integer.parseInt(versions[0]) >= compareTo ||
+ Integer.parseInt(versions[1]) >= compareTo) {
+ return true;
+ }
+ return false;
+ }
//
// Classes
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java Tue Jul 09 16:34:52 2013 -0700
@@ -25,10 +25,9 @@
package com.sun.org.apache.xerces.internal.impl;
-import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.xml.internal.stream.StaxEntityResolverWrapper;
import java.util.HashMap;
-import javax.xml.XMLConstants;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLOutputFactory;
import javax.xml.stream.XMLResolver;
@@ -51,15 +50,14 @@
private static final String STRING_INTERNING = "http://xml.org/sax/features/string-interning";
-
- /** Property identifier: access to external dtd */
- protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
-
- /** Property identifier: access to external schema */
- protected static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
HashMap supportedProps = new HashMap();
+ private XMLSecurityPropertyManager fSecurityPropertyMgr;
+
public static final int CONTEXT_READER = 1;
public static final int CONTEXT_WRITER = 2;
@@ -84,6 +82,7 @@
HashMap properties = propertyManager.getProperties();
supportedProps.putAll(properties);
+ fSecurityPropertyMgr = (XMLSecurityPropertyManager)getProperty(XML_SECURITY_PROPERTY_MANAGER);
}
private HashMap getProperties(){
@@ -125,14 +124,8 @@
supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_DUPLICATE_ENTITYDEF_FEATURE, new Boolean(false));
supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_UNDECLARED_ELEMDEF_FEATURE, new Boolean(false));
- //For DOM/SAX, the secure feature is set to true by default
- String accessExternal = SecuritySupport.getDefaultAccessProperty(
- Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT);
- supportedProps.put(ACCESS_EXTERNAL_DTD, accessExternal);
-
- accessExternal = SecuritySupport.getDefaultAccessProperty(
- Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
- supportedProps.put(ACCESS_EXTERNAL_SCHEMA, accessExternal);
+ fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+ supportedProps.put(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
}
private void initWriterProps(){
@@ -148,7 +141,8 @@
* }
*/
public boolean containsProperty(String property){
- return supportedProps.containsKey(property) ;
+ return supportedProps.containsKey(property) ||
+ fSecurityPropertyMgr.getIndex(property) > -1 ;
}
public Object getProperty(String property){
@@ -174,7 +168,15 @@
//add internal stax property
supportedProps.put( Constants.XERCES_PROPERTY_PREFIX + Constants.STAX_ENTITY_RESOLVER_PROPERTY , new StaxEntityResolverWrapper((XMLResolver)value)) ;
}
- supportedProps.put(property, value ) ;
+
+ int index = fSecurityPropertyMgr.getIndex(property);
+ if (index > -1) {
+ fSecurityPropertyMgr.setValue(index,
+ XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
+ } else {
+ supportedProps.put(property, value);
+ }
+
if(equivalentProperty != null){
supportedProps.put(equivalentProperty, value ) ;
}
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Tue Jul 09 16:34:52 2013 -0700
@@ -53,6 +53,7 @@
import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.NamespaceSupport;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.xml.internal.stream.Entity;
import javax.xml.XMLConstants;
@@ -166,8 +167,9 @@
protected static final String STANDARD_URI_CONFORMANT =
Constants.XERCES_FEATURE_PREFIX +Constants.STANDARD_URI_CONFORMANT_FEATURE;
- /** property identifier: access external dtd. */
- protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
/** access external dtd: file protocol
* For DOM/SAX, the secure feature is set to true by default
@@ -199,7 +201,7 @@
SYMBOL_TABLE,
ERROR_REPORTER,
ENTITY_MANAGER,
- ACCESS_EXTERNAL_DTD
+ XML_SECURITY_PROPERTY_MANAGER
};
/** Property defaults. */
@@ -610,7 +612,10 @@
dtdGrammarUtil = null;
// JAXP 1.5 features and properties
- fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT);
+ XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
+ componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER, null);
+ fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
+
fStrictURI = componentManager.getFeature(STANDARD_URI_CONFORMANT, false);
//fEntityManager.test();
@@ -662,9 +667,10 @@
dtdGrammarUtil = null;
- // Oracle jdk feature
- fAccessExternalDTD = (String) propertyManager.getProperty(ACCESS_EXTERNAL_DTD);
-
+ // JAXP 1.5 features and properties
+ XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
+ propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
+ fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
} // reset(XMLComponentManager)
/**
@@ -762,11 +768,10 @@
}
//JAXP 1.5 properties
- if (propertyId.startsWith(Constants.JAXPAPI_PROPERTY_PREFIX)) {
- if (propertyId.equals(ACCESS_EXTERNAL_DTD))
- {
- fAccessExternalDTD = (String)value;
- }
+ if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER))
+ {
+ XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)value;
+ fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
}
} // setProperty(String,Object)
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Tue Jul 09 16:34:52 2013 -0700
@@ -31,6 +31,7 @@
import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.URI;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
import com.sun.org.apache.xerces.internal.xni.XNIException;
@@ -166,8 +167,9 @@
protected static final String PARSER_SETTINGS =
Constants.XERCES_FEATURE_PREFIX + Constants.PARSER_SETTINGS;
- /** property identifier: access external dtd. */
- protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
/** access external dtd: file protocol */
static final String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT;
@@ -203,7 +205,7 @@
VALIDATION_MANAGER,
BUFFER_SIZE,
SECURITY_MANAGER,
- ACCESS_EXTERNAL_DTD
+ XML_SECURITY_PROPERTY_MANAGER
};
/** Property defaults. */
@@ -214,7 +216,7 @@
null,
new Integer(DEFAULT_BUFFER_SIZE),
null,
- EXTERNAL_ACCESS_DEFAULT
+ null
};
private static final String XMLEntity = "[xml]".intern();
@@ -1421,7 +1423,8 @@
fLoadExternalDTD = !((Boolean)propertyManager.getProperty(Constants.ZEPHYR_PROPERTY_PREFIX + Constants.IGNORE_EXTERNAL_DTD)).booleanValue();
// JAXP 1.5 feature
- fAccessExternalDTD = (String) propertyManager.getProperty(ACCESS_EXTERNAL_DTD);
+ XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
+ fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
// initialize state
//fStandalone = false;
@@ -1485,7 +1488,11 @@
fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER, null);
// JAXP 1.5 feature
- fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT);
+ XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER, null);
+ if (spm == null) {
+ spm = new XMLSecurityPropertyManager();
+ }
+ fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
//reset general state
reset();
@@ -1641,11 +1648,10 @@
}
//JAXP 1.5 properties
- if (propertyId.startsWith(Constants.JAXPAPI_PROPERTY_PREFIX)) {
- if (propertyId.equals(ACCESS_EXTERNAL_DTD))
- {
- fAccessExternalDTD = (String)value;
- }
+ if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER))
+ {
+ XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)value;
+ fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
}
}
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaLoader.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaLoader.java Tue Jul 09 16:34:52 2013 -0700
@@ -54,6 +54,7 @@
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription;
@@ -218,6 +219,10 @@
protected static final String ENTITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.ENTITY_MANAGER_PROPERTY;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
+
/** Property identifier: access to external dtd */
public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
@@ -238,8 +243,7 @@
SECURITY_MANAGER,
LOCALE,
SCHEMA_DV_FACTORY,
- ACCESS_EXTERNAL_DTD,
- ACCESS_EXTERNAL_SCHEMA
+ XML_SECURITY_PROPERTY_MANAGER
};
// Data
@@ -270,7 +274,6 @@
private final CMNodeFactory fNodeFactory = new CMNodeFactory(); //component mgr will be set later
private CMBuilder fCMBuilder;
private XSDDescription fXSDDescription = new XSDDescription();
- private String faccessExternalDTD = Constants.EXTERNAL_ACCESS_DEFAULT;
private String faccessExternalSchema = Constants.EXTERNAL_ACCESS_DEFAULT;
private Map fJAXPCache;
@@ -466,11 +469,9 @@
fErrorReporter.putMessageFormatter(XSMessageFormatter.SCHEMA_DOMAIN, new XSMessageFormatter());
}
}
- else if (propertyId.equals(ACCESS_EXTERNAL_DTD)) {
- faccessExternalDTD = (String) state;
- }
- else if (propertyId.equals(ACCESS_EXTERNAL_SCHEMA)) {
- faccessExternalSchema = (String) state;
+ else if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER)) {
+ XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)state;
+ faccessExternalSchema = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA);
}
} // setProperty(String, Object)
@@ -1066,8 +1067,8 @@
fSchemaHandler.setGenerateSyntheticAnnotations(componentManager.getFeature(GENERATE_SYNTHETIC_ANNOTATIONS, false));
fSchemaHandler.reset(componentManager);
- faccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD);
- faccessExternalSchema = (String) componentManager.getProperty(ACCESS_EXTERNAL_SCHEMA);
+ XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
+ faccessExternalSchema = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA);
}
private void initGrammarBucket(){
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaValidator.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaValidator.java Tue Jul 09 16:34:52 2013 -0700
@@ -233,11 +233,9 @@
protected static final String SCHEMA_DV_FACTORY =
Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY;
- /** property identifier: access external dtd. */
- private static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
-
- /** Property identifier: access to external schema */
- private static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
protected static final String USE_SERVICE_MECHANISM = Constants.ORACLE_FEATURE_SERVICE_MECHANISM;
@@ -297,8 +295,7 @@
JAXP_SCHEMA_SOURCE,
JAXP_SCHEMA_LANGUAGE,
SCHEMA_DV_FACTORY,
- ACCESS_EXTERNAL_DTD,
- ACCESS_EXTERNAL_SCHEMA
+ XML_SECURITY_PROPERTY_MANAGER
};
/** Property defaults. */
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java Tue Jul 09 16:34:52 2013 -0700
@@ -78,6 +78,7 @@
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.QName;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
@@ -112,6 +113,7 @@
import org.w3c.dom.Node;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXParseException;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.XMLReaderFactory;
@@ -223,11 +225,9 @@
protected static final String LOCALE =
Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY;
- /** property identifier: access external dtd. */
- public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
-
- /** Property identifier: access to external schema */
- public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
protected static final boolean DEBUG_NODE_POOL = false;
@@ -260,6 +260,7 @@
protected SecurityManager fSecureProcessing = null;
private String fAccessExternalSchema;
+ private String fAccessExternalDTD;
// These tables correspond to the symbol spaces defined in the
// spec.
@@ -2249,6 +2250,13 @@
}
}
catch (SAXException se) {}
+
+ try {
+ parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, fAccessExternalDTD);
+ } catch (SAXNotRecognizedException exc) {
+ System.err.println("Warning: " + parser.getClass().getName() + ": " +
+ exc.getMessage());
+ }
}
// If XML names and Namespace URIs are already internalized we
// can avoid running them through the SymbolTable.
@@ -3580,11 +3588,17 @@
} catch (XMLConfigurationException e) {
}
- //For Schema validation, the secure feature is set to true by default
- fSchemaParser.setProperty(ACCESS_EXTERNAL_DTD,
- componentManager.getProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT));
- fAccessExternalSchema = (String) componentManager.getProperty(
- ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
+ XMLSecurityPropertyManager securityPropertyMgr = (XMLSecurityPropertyManager)
+ componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
+ //Passing on the setting to the parser
+ fSchemaParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, securityPropertyMgr);
+
+ fAccessExternalDTD = securityPropertyMgr.getValue(
+ XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
+
+ fAccessExternalSchema = securityPropertyMgr.getValue(
+ XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA);
+
} // reset(XMLComponentManager)
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java Tue Jul 09 16:34:52 2013 -0700
@@ -37,6 +37,9 @@
import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
import com.sun.org.apache.xerces.internal.parsers.DOMParser;
import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.Property;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.State;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -97,12 +100,17 @@
private static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
+
/** property identifier: access external dtd. */
public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
/** Property identifier: access to external schema */
public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
+
private final DOMParser domParser;
private final Schema grammar;
@@ -117,6 +125,8 @@
/** Initial EntityResolver */
private final EntityResolver fInitEntityResolver;
+ private XMLSecurityPropertyManager fSecurityPropertyMgr;
+
DocumentBuilderImpl(DocumentBuilderFactoryImpl dbf, Hashtable dbfAttrs, Hashtable features)
throws SAXNotRecognizedException, SAXNotSupportedException {
this(dbf, dbfAttrs, features, false);
@@ -160,23 +170,27 @@
domParser.setFeature(XINCLUDE_FEATURE, true);
}
+ fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+ domParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
+
// If the secure processing feature is on set a security manager.
if (secureProcessing) {
domParser.setProperty(SECURITY_MANAGER, new SecurityManager());
/**
- * By default, secure processing is set, no external access is allowed.
- * However, we need to check if it is actively set on the factory since we
- * allow the use of the System Property or jaxp.properties to override
- * the default value
+ * If secure processing is explicitly set on the factory, the
+ * access properties will be set unless the corresponding
+ * System Properties or jaxp.properties are set
*/
if (features != null) {
Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING);
if (temp != null) {
boolean value = ((Boolean) temp).booleanValue();
- if (value) {
- domParser.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
- domParser.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ if (value && Constants.IS_JDK8_OR_ABOVE) {
+ fSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_DTD,
+ State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ fSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_SCHEMA,
+ State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
}
}
}
@@ -220,7 +234,7 @@
setFeatures(features);
}
- // Set attributes
+ //setAttribute override those that may be set by other means
setDocumentBuilderFactoryAttributes(dbfAttrs);
// Initial EntityResolver
@@ -275,26 +289,32 @@
// spec when schema validation is enabled
domParser.setProperty(JAXP_SCHEMA_LANGUAGE, W3C_XML_SCHEMA);
}
- }
- } else if(JAXP_SCHEMA_SOURCE.equals(name)){
- if( isValidating() ) {
- String value=(String)dbfAttrs.get(JAXP_SCHEMA_LANGUAGE);
- if(value !=null && W3C_XML_SCHEMA.equals(value)){
- domParser.setProperty(name, val);
- }else{
+ }
+ } else if(JAXP_SCHEMA_SOURCE.equals(name)){
+ if( isValidating() ) {
+ String value=(String)dbfAttrs.get(JAXP_SCHEMA_LANGUAGE);
+ if(value !=null && W3C_XML_SCHEMA.equals(value)){
+ domParser.setProperty(name, val);
+ }else{
throw new IllegalArgumentException(
DOMMessageFormatter.formatMessage(DOMMessageFormatter.DOM_DOMAIN,
"jaxp-order-not-supported",
new Object[] {JAXP_SCHEMA_LANGUAGE, JAXP_SCHEMA_SOURCE}));
- }
- }
- } else {
- // Let Xerces code handle the property
- domParser.setProperty(name, val);
- }
}
- }
+ }
+ } else {
+ int index = fSecurityPropertyMgr.getIndex(name);
+ if (index > -1) {
+ fSecurityPropertyMgr.setValue(index,
+ XMLSecurityPropertyManager.State.APIPROPERTY, (String)val);
+ } else {
+ // Let Xerces code handle the property
+ domParser.setProperty(name, val);
+ }
+ }
+ }
}
+ }
/**
* Non-preferred: use the getDOMImplementation() method instead of this
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java Tue Jul 09 16:34:52 2013 -0700
@@ -36,6 +36,7 @@
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.Status;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -92,11 +93,9 @@
private static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
- /** property identifier: access external dtd. */
- public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
-
- /** Property identifier: access to external schema */
- public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
private final JAXPSAXParser xmlReader;
private String schemaLanguage = null; // null means DTD
@@ -113,6 +112,8 @@
/** Initial EntityResolver */
private final EntityResolver fInitEntityResolver;
+ private XMLSecurityPropertyManager fSecurityPropertyMgr;
+
/**
* Create a SAX parser with the associated features
* @param features Hashtable of SAX features, may be null
@@ -149,6 +150,9 @@
xmlReader.setFeature0(XINCLUDE_FEATURE, true);
}
+ fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+ xmlReader.setProperty0(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
+
// If the secure processing feature is on set a security manager.
if (secureProcessing) {
xmlReader.setProperty0(SECURITY_MANAGER, new SecurityManager());
@@ -162,9 +166,12 @@
Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING);
if (temp != null) {
boolean value = ((Boolean) temp).booleanValue();
- if (value) {
- xmlReader.setProperty0(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
- xmlReader.setProperty0(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ if (value && Constants.IS_JDK8_OR_ABOVE) {
+ fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
+ XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA,
+ XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+
}
}
}
@@ -530,14 +537,21 @@
return;
}
}
- if (!fInitProperties.containsKey(name)) {
- fInitProperties.put(name, super.getProperty(name));
- }
/** Forward property to the schema validator if there is one. **/
if (fSAXParser != null && fSAXParser.fSchemaValidator != null) {
setSchemaValidatorProperty(name, value);
}
- super.setProperty(name, value);
+ /** Check to see if the property is managed by the property manager **/
+ int index = fSAXParser.fSecurityPropertyMgr.getIndex(name);
+ if (index > -1) {
+ fSAXParser.fSecurityPropertyMgr.setValue(index,
+ XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
+ } else {
+ if (!fInitProperties.containsKey(name)) {
+ fInitProperties.put(name, super.getProperty(name));
+ }
+ super.setProperty(name, value);
+ }
}
public synchronized Object getProperty(String name)
@@ -550,6 +564,11 @@
// JAXP 1.2 support
return fSAXParser.schemaLanguage;
}
+ int index = fSAXParser.fSecurityPropertyMgr.getIndex(name);
+ if (index > -1) {
+ return fSAXParser.fSecurityPropertyMgr.getValueByIndex(index);
+ }
+
return super.getProperty(name);
}
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Tue Jul 09 16:34:52 2013 -0700
@@ -177,11 +177,11 @@
}
config.setProperty(SYMBOL_TABLE, fComponentManager.getProperty(SYMBOL_TABLE));
config.setProperty(VALIDATION_MANAGER, fComponentManager.getProperty(VALIDATION_MANAGER));
- config.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,
- fComponentManager.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD));
config.setDocumentHandler(fSchemaValidator);
config.setDTDHandler(null);
config.setDTDContentModelHandler(null);
+ config.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER,
+ fComponentManager.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER));
fConfiguration = new SoftReference(config);
return config;
}
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Tue Jul 09 16:34:52 2013 -0700
@@ -53,6 +53,7 @@
import com.sun.org.apache.xerces.internal.util.URI;
import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.QName;
@@ -134,6 +135,10 @@
private static final String VALIDATION_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.VALIDATION_MANAGER_PROPERTY;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
+
//
// Data
//
@@ -686,8 +691,10 @@
catch (SAXException exc) {}
}
try {
+ XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
+ fComponentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,
- fComponentManager.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD));
+ spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD));
} catch (SAXException exc) {
System.err.println("Warning: " + reader.getClass().getName() + ": " +
exc.getMessage());
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Tue Jul 09 16:34:52 2013 -0700
@@ -45,7 +45,7 @@
import com.sun.org.apache.xerces.internal.util.StAXInputSource;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl;
-import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription;
@@ -83,11 +83,10 @@
private static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
- /** property identifier: access external dtd. */
- public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
- /** Property identifier: access to external schema */
- public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
//
// Data
@@ -111,6 +110,9 @@
/** The SecurityManager. */
private SecurityManager fSecurityManager;
+ /** The Security property manager. */
+ private XMLSecurityPropertyManager fSecurityPropertyMgr;
+
/** The container for the real grammar pool. */
private XMLGrammarPoolWrapper fXMLGrammarPoolWrapper;
@@ -120,6 +122,8 @@
* Note the default value (false) is the safe option..
*/
private final boolean fUseServicesMechanism;
+
+
public XMLSchemaFactory() {
this(true);
}
@@ -140,13 +144,9 @@
fSecurityManager = new SecurityManager();
fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
- //by default, the secure feature is set to true, otherwise the default would have been 'file'
- String accessExternal = SecuritySupport.getDefaultAccessProperty(
- Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT);
- fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, accessExternal);
- accessExternal = SecuritySupport.getDefaultAccessProperty(
- Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
- fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, accessExternal);
+ fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+ fXMLSchemaLoader.setProperty(XML_SECURITY_PROPERTY_MANAGER,
+ fSecurityPropertyMgr);
}
/**
@@ -282,6 +282,7 @@
schema = new EmptyXMLSchema();
}
propagateFeatures(schema);
+ propagateProperties(schema);
return schema;
}
@@ -366,8 +367,13 @@
}
if (value) {
fSecurityManager = new SecurityManager();
- fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
- fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+
+ if (Constants.IS_JDK8_OR_ABOVE) {
+ fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
+ XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA,
+ XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ }
} else {
fSecurityManager = null;
}
@@ -414,7 +420,13 @@
"property-not-supported", new Object [] {name}));
}
try {
- fXMLSchemaLoader.setProperty(name, object);
+ int index = fSecurityPropertyMgr.getIndex(name);
+ if (index > -1) {
+ fSecurityPropertyMgr.setValue(index,
+ XMLSecurityPropertyManager.State.APIPROPERTY, (String)object);
+ } else {
+ fXMLSchemaLoader.setProperty(name, object);
+ }
}
catch (XMLConfigurationException e) {
String identifier = e.getIdentifier();
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java Tue Jul 09 16:34:52 2013 -0700
@@ -42,6 +42,7 @@
import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
@@ -107,6 +108,10 @@
private static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
+ /** Property identifier: security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
+
/** Property identifier: symbol table. */
private static final String SYMBOL_TABLE =
Constants.XERCES_PROPERTY_PREFIX + Constants.SYMBOL_TABLE_PROPERTY;
@@ -123,12 +128,6 @@
private static final String LOCALE =
Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY;
- /** property identifier: access external dtd. */
- private static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
-
- /** Property identifier: access to external schema */
- private static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
-
//
// Data
//
@@ -184,6 +183,9 @@
/** Stores the initial security manager. */
private final SecurityManager fInitSecurityManager;
+ /** Stores the initial security property manager. */
+ private final XMLSecurityPropertyManager fSecurityPropertyMgr;
+
//
// User Objects
//
@@ -250,8 +252,9 @@
fComponents.put(SECURITY_MANAGER, fInitSecurityManager);
//pass on properties set on SchemaFactory
- setProperty(ACCESS_EXTERNAL_DTD, grammarContainer.getProperty(ACCESS_EXTERNAL_DTD));
- setProperty(ACCESS_EXTERNAL_SCHEMA, grammarContainer.getProperty(ACCESS_EXTERNAL_SCHEMA));
+ fSecurityPropertyMgr = (XMLSecurityPropertyManager)
+ grammarContainer.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER);
+ setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
}
/**
@@ -309,6 +312,15 @@
throw new XMLConfigurationException(Status.NOT_ALLOWED, XMLConstants.FEATURE_SECURE_PROCESSING);
}
setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
+
+ if (value && Constants.IS_JDK8_OR_ABOVE) {
+ fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
+ XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA,
+ XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
+ }
+
return;
}
fConfigUpdated = true;
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/DOMParser.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/DOMParser.java Tue Jul 09 16:34:52 2013 -0700
@@ -29,6 +29,7 @@
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
@@ -74,6 +75,10 @@
protected static final String REPORT_WHITESPACE =
Constants.SUN_SCHEMA_FEATURE_PREFIX + Constants.SUN_REPORT_IGNORED_ELEMENT_CONTENT_WHITESPACE;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
+
// recognized features:
private static final String[] RECOGNIZED_FEATURES = {
REPORT_WHITESPACE
@@ -579,6 +584,13 @@
}
try {
+ XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
+ fConfiguration.getProperty(XML_SECURITY_PROPERTY_MANAGER);
+ int index = spm.getIndex(propertyId);
+ if (index > -1) {
+ return spm.getValueByIndex(index);
+ }
+
return fConfiguration.getProperty(propertyId);
}
catch (XMLConfigurationException e) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java Tue Jul 09 16:34:52 2013 -0700
@@ -22,8 +22,11 @@
import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
/**
* This is the main Xerces SAX parser class. It uses the abstract SAX
@@ -120,4 +123,24 @@
} // <init>(SymbolTable,XMLGrammarPool)
+ /**
+ * Sets the particular property in the underlying implementation of
+ * org.xml.sax.XMLReader.
+ */
+ public void setProperty(String name, Object value)
+ throws SAXNotRecognizedException, SAXNotSupportedException {
+ XMLSecurityPropertyManager spm = new XMLSecurityPropertyManager();
+ int index = spm.getIndex(name);
+ if (index > -1) {
+ /**
+ * this is a direct call to this parser, not a subclass since
+ * internally the support of this property is done through
+ * XMLSecurityPropertyManager
+ */
+ spm.setValue(index, XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
+ super.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, spm);
+ } else {
+ super.setProperty(name, value);
+ }
+ }
} // class SAXParser
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java Tue Jul 09 16:34:52 2013 -0700
@@ -20,12 +20,10 @@
package com.sun.org.apache.xerces.internal.parsers;
-import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Locale;
-import java.util.Properties;
import javax.xml.XMLConstants;
import com.sun.org.apache.xerces.internal.impl.Constants;
@@ -53,9 +51,8 @@
import com.sun.org.apache.xerces.internal.util.FeatureState;
import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
import com.sun.org.apache.xerces.internal.util.PropertyState;
-import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
-import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler;
import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
@@ -278,11 +275,10 @@
protected static final String SCHEMA_DV_FACTORY =
Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY;
- /** Property identifier: access to external dtd */
- protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+ /** Property identifier: Security property manager. */
+ private static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
- /** Property identifier: access to external schema */
- protected static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
// debugging
@@ -535,8 +531,7 @@
SCHEMA_NONS_LOCATION,
LOCALE,
SCHEMA_DV_FACTORY,
- ACCESS_EXTERNAL_DTD,
- ACCESS_EXTERNAL_SCHEMA
+ XML_SECURITY_PROPERTY_MANAGER
};
addRecognizedProperties(recognizedProperties);
@@ -584,14 +579,7 @@
fVersionDetector = new XMLVersionDetector();
- //FEATURE_SECURE_PROCESSING is true, see the feature above
- String accessExternal = SecuritySupport.getDefaultAccessProperty(
- Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT);
- fProperties.put(ACCESS_EXTERNAL_DTD, accessExternal);
-
- accessExternal = SecuritySupport.getDefaultAccessProperty(
- Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
- fProperties.put(ACCESS_EXTERNAL_SCHEMA, accessExternal);
+ fProperties.put(XML_SECURITY_PROPERTY_MANAGER, new XMLSecurityPropertyManager());
// add message formatters
if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/utils/SecuritySupport.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/SecuritySupport.java Tue Jul 09 16:34:52 2013 -0700
@@ -223,7 +223,8 @@
* @return the name of the protocol if rejected, null otherwise
*/
public static String checkAccess(String systemId, String allowedProtocols, String accessAny) throws IOException {
- if (systemId == null || allowedProtocols.equalsIgnoreCase(accessAny)) {
+ if (systemId == null || (allowedProtocols != null &&
+ allowedProtocols.equalsIgnoreCase(accessAny))) {
return null;
}
@@ -256,6 +257,9 @@
* @return true if the protocol is in the list
*/
private static boolean isProtocolAllowed(String protocol, String allowedProtocols) {
+ if (allowedProtocols == null) {
+ return false;
+ }
String temp[] = allowedProtocols.split(",");
for (String t : temp) {
t = t.trim();
@@ -267,18 +271,16 @@
}
/**
- * Read from $java.home/lib/jaxp.properties for the specified property
+ * Read JAXP system property in this order: system property,
+ * $java.home/lib/jaxp.properties if the system property is not specified
*
* @param propertyId the Id of the property
* @return the value of the property
*/
- public static String getDefaultAccessProperty(String sysPropertyId, String defaultVal) {
- String accessExternal = SecuritySupport.getSystemProperty(sysPropertyId);
+ public static String getJAXPSystemProperty(String sysPropertyId) {
+ String accessExternal = getSystemProperty(sysPropertyId);
if (accessExternal == null) {
accessExternal = readJAXPProperty(sysPropertyId);
- if (accessExternal == null) {
- accessExternal = defaultVal;
- }
}
return accessExternal;
}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityPropertyManager.java Tue Jul 09 16:34:52 2013 -0700
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.sun.org.apache.xerces.internal.utils;
+
+import com.sun.org.apache.xerces.internal.impl.Constants;
+import javax.xml.XMLConstants;
+
+/**
+ * This class manages security related properties
+ *
+ */
+public final class XMLSecurityPropertyManager {
+
+ /**
+ * States of the settings of a property, in the order: default value, value
+ * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
+ * properties, and jaxp api properties
+ */
+ public static enum State {
+ //this order reflects the overriding order
+ DEFAULT, FSP, JAXPDOTPROPERTIES, SYSTEMPROPERTY, APIPROPERTY
+ }
+
+ /**
+ * Limits managed by the security manager
+ */
+ public static enum Property {
+ ACCESS_EXTERNAL_DTD(XMLConstants.ACCESS_EXTERNAL_DTD,
+ Constants.EXTERNAL_ACCESS_DEFAULT),
+ ACCESS_EXTERNAL_SCHEMA(XMLConstants.ACCESS_EXTERNAL_SCHEMA,
+ Constants.EXTERNAL_ACCESS_DEFAULT);
+
+ final String name;
+ final String defaultValue;
+
+ Property(String name, String value) {
+ this.name = name;
+ this.defaultValue = value;
+ }
+
+ public boolean equalsName(String propertyName) {
+ return (propertyName == null) ? false : name.equals(propertyName);
+ }
+
+ String defaultValue() {
+ return defaultValue;
+ }
+ }
+
+ /**
+ * Values of the properties as defined in enum Properties
+ */
+ private final String[] values;
+ /**
+ * States of the settings for each property in Properties above
+ */
+ private State[] states = {State.DEFAULT, State.DEFAULT};
+
+ /**
+ * Default constructor. Establishes default values
+ */
+ public XMLSecurityPropertyManager() {
+ values = new String[Property.values().length];
+ for (Property property : Property.values()) {
+ values[property.ordinal()] = property.defaultValue();
+ }
+ //read system properties or jaxp.properties
+ readSystemProperties();
+ }
+
+ /**
+ * Set the value for a specific property.
+ *
+ * @param property the property
+ * @param state the state of the property
+ * @param value the value of the property
+ */
+ public void setValue(Property property, State state, String value) {
+ //only update if it shall override
+ if (state.compareTo(states[property.ordinal()]) >= 0) {
+ values[property.ordinal()] = value;
+ states[property.ordinal()] = state;
+ }
+ }
+
+ /**
+ * Set the value of a property by its index
+ * @param index the index of the property
+ * @param state the state of the property
+ * @param value the value of the property
+ */
+ public void setValue(int index, State state, String value) {
+ //only update if it shall override
+ if (state.compareTo(states[index]) >= 0) {
+ values[index] = value;
+ states[index] = state;
+ }
+ }
+ /**
+ * Return the value of the specified property
+ *
+ * @param property the property
+ * @return the value of the property
+ */
+ public String getValue(Property property) {
+ return values[property.ordinal()];
+ }
+
+ /**
+ * Return the value of a property by its ordinal
+ * @param index the index of a property
+ * @return value of a property
+ */
+ public String getValueByIndex(int index) {
+ return values[index];
+ }
+
+ /**
+ * Get the index by property name
+ * @param propertyName property name
+ * @return the index of the property if found; return -1 if not
+ */
+ public int getIndex(String propertyName){
+ for (Property property : Property.values()) {
+ if (property.equalsName(propertyName)) {
+ //internally, ordinal is used as index
+ return property.ordinal();
+ }
+ }
+ return -1;
+ }
+
+ /**
+ * Read from system properties, or those in jaxp.properties
+ */
+ private void readSystemProperties() {
+ getSystemProperty(Property.ACCESS_EXTERNAL_DTD,
+ Constants.SP_ACCESS_EXTERNAL_DTD);
+ getSystemProperty(Property.ACCESS_EXTERNAL_SCHEMA,
+ Constants.SP_ACCESS_EXTERNAL_SCHEMA);
+ }
+
+ /**
+ * Read from system properties, or those in jaxp.properties
+ *
+ * @param property the property
+ * @param systemProperty the name of the system property
+ */
+ private void getSystemProperty(Property property, String systemProperty) {
+ try {
+ String value = SecuritySupport.getSystemProperty(systemProperty);
+ if (value != null) {
+ values[property.ordinal()] = value;
+ states[property.ordinal()] = State.SYSTEMPROPERTY;
+ return;
+ }
+
+ value = SecuritySupport.readJAXPProperty(systemProperty);
+ if (value != null) {
+ values[property.ordinal()] = value;
+ states[property.ordinal()] = State.JAXPDOTPROPERTIES;
+ }
+ } catch (NumberFormatException e) {
+ //invalid setting ignored
+ }
+ }
+}
--- a/jaxp/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java Tue Jul 09 16:34:52 2013 -0700
@@ -68,6 +68,7 @@
import com.sun.org.apache.xerces.internal.xpointer.XPointerHandler;
import com.sun.org.apache.xerces.internal.xpointer.XPointerProcessor;
import com.sun.org.apache.xerces.internal.utils.ObjectFactory;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
import java.util.Objects;
/**
@@ -231,13 +232,9 @@
protected static final String PARSER_SETTINGS =
Constants.XERCES_FEATURE_PREFIX + Constants.PARSER_SETTINGS;
- /** property identifier: access external dtd. */
- protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
-
- /** access external dtd: file protocol
- * For DOM/SAX, the secure feature is set to true by default
- */
- final static String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT;
+ /** property identifier: XML security property manager. */
+ protected static final String XML_SECURITY_PROPERTY_MANAGER =
+ Constants.XML_SECURITY_PROPERTY_MANAGER;
/** Recognized features. */
private static final String[] RECOGNIZED_FEATURES =
@@ -293,12 +290,7 @@
protected XMLErrorReporter fErrorReporter;
protected XMLEntityResolver fEntityResolver;
protected SecurityManager fSecurityManager;
- /**
- * comma-delimited list of protocols that are allowed for the purpose
- * of accessing external dtd or entity references
- */
- protected String fAccessExternalDTD = EXTERNAL_ACCESS_DEFAULT;
-
+ protected XMLSecurityPropertyManager fSecurityPropertyMgr;
// these are needed for text include processing
protected XIncludeTextReader fXInclude10TextReader;
@@ -540,7 +532,8 @@
fSecurityManager = null;
}
- fAccessExternalDTD = (String)componentManager.getProperty(ACCESS_EXTERNAL_DTD);
+ fSecurityPropertyMgr = (XMLSecurityPropertyManager)
+ componentManager.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER);
// Get buffer size.
try {
@@ -687,11 +680,13 @@
}
return;
}
- if (propertyId.equals(ACCESS_EXTERNAL_DTD)) {
- fAccessExternalDTD = (String)value;
+ if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER)) {
+ fSecurityPropertyMgr = (XMLSecurityPropertyManager)value;
+
if (fChildConfig != null) {
- fChildConfig.setProperty(propertyId, value);
+ fChildConfig.setProperty(XML_SECURITY_PROPERTY_MANAGER, value);
}
+
return;
}
@@ -1652,7 +1647,7 @@
if (fErrorReporter != null) fChildConfig.setProperty(ERROR_REPORTER, fErrorReporter);
if (fEntityResolver != null) fChildConfig.setProperty(ENTITY_RESOLVER, fEntityResolver);
fChildConfig.setProperty(SECURITY_MANAGER, fSecurityManager);
- fChildConfig.setProperty(ACCESS_EXTERNAL_DTD, fAccessExternalDTD);
+ fChildConfig.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
fChildConfig.setProperty(BUFFER_SIZE, new Integer(fBufferSize));
// features must be copied to child configuration
--- a/jaxp/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java Wed Jul 05 19:03:14 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java Tue Jul 09 16:34:52 2013 -0700
@@ -140,12 +140,6 @@
// Try to carry on if we've got a parser that
// doesn't know about namespace prefixes.
}
- try {
- reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD);
- } catch (SAXException se) {
- System.err.println("Warning: " + reader.getClass().getName() + ": "
- + se.getMessage());
- }
} catch (ParserConfigurationException ex) {
throw new SAXException(ex);
} catch (FactoryConfigurationError ex1) {
@@ -162,6 +156,14 @@
}
}
+ try {
+ //reader is cached, but this property might have been reset
+ reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD);
+ } catch (SAXException se) {
+ System.err.println("Warning: " + reader.getClass().getName() + ": "
+ + se.getMessage());
+ }
+
return reader;
}