--- a/jdk/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java Sat Dec 07 16:15:08 2013 -0800
+++ b/jdk/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java Wed Oct 23 21:24:34 2013 -0700
@@ -64,6 +64,8 @@
protected static final AttrCompare COMPARE = new AttrCompare();
+ // Make sure you clone the following mutable arrays before passing to
+ // potentially untrusted objects such as OutputStreams.
private static final byte[] END_PI = {'?','>'};
private static final byte[] BEGIN_PI = {'<','?'};
private static final byte[] END_COMM = {'-','-','>'};
@@ -76,7 +78,7 @@
private static final byte[] LT = {'&','l','t',';'};
private static final byte[] END_TAG = {'<','/'};
private static final byte[] AMP = {'&','a','m','p',';'};
- private static final byte[] equalsStr = {'=','\"'};
+ private static final byte[] EQUALS_STR = {'=','\"'};
protected static final int NODE_BEFORE_DOCUMENT_ELEMENT = -1;
protected static final int NODE_NOT_BEFORE_OR_AFTER_DOCUMENT_ELEMENT = 0;
@@ -303,7 +305,7 @@
writer.write('>');
sibling = currentNode.getFirstChild();
if (sibling == null) {
- writer.write(END_TAG);
+ writer.write(END_TAG.clone());
UtfHelpper.writeStringToUtf8(name, writer);
writer.write('>');
//We finished with this level, pop to the previous definitions.
@@ -321,7 +323,7 @@
break;
}
while (sibling == null && parentNode != null) {
- writer.write(END_TAG);
+ writer.write(END_TAG.clone());
UtfHelpper.writeByte(((Element)parentNode).getTagName(), writer, cache);
writer.write('>');
//We finished with this level, pop to the previous definitions.
@@ -481,7 +483,7 @@
if (sibling == null) {
if (currentNodeIsVisible) {
- writer.write(END_TAG);
+ writer.write(END_TAG.clone());
UtfHelpper.writeByte(name, writer, cache);
writer.write('>');
//We finished with this level, pop to the previous definitions.
@@ -503,7 +505,7 @@
}
while (sibling == null && parentNode != null) {
if (isVisible(parentNode)) {
- writer.write(END_TAG);
+ writer.write(END_TAG.clone());
UtfHelpper.writeByte(((Element)parentNode).getTagName(), writer, cache);
writer.write('>');
//We finished with this level, pop to the previous definitions.
@@ -690,7 +692,7 @@
) throws IOException {
writer.write(' ');
UtfHelpper.writeByte(name, writer, cache);
- writer.write(equalsStr);
+ writer.write(EQUALS_STR.clone());
byte[] toWrite;
final int length = value.length();
int i = 0;
@@ -700,27 +702,27 @@
switch (c) {
case '&' :
- toWrite = AMP;
+ toWrite = AMP.clone();
break;
case '<' :
- toWrite = LT;
+ toWrite = LT.clone();
break;
case '"' :
- toWrite = QUOT;
+ toWrite = QUOT.clone();
break;
case 0x09 : // '\t'
- toWrite = X9;
+ toWrite = X9.clone();
break;
case 0x0A : // '\n'
- toWrite = XA;
+ toWrite = XA.clone();
break;
case 0x0D : // '\r'
- toWrite = XD;
+ toWrite = XD.clone();
break;
default :
@@ -750,7 +752,7 @@
if (position == NODE_AFTER_DOCUMENT_ELEMENT) {
writer.write('\n');
}
- writer.write(BEGIN_PI);
+ writer.write(BEGIN_PI.clone());
final String target = currentPI.getTarget();
int length = target.length();
@@ -758,7 +760,7 @@
for (int i = 0; i < length; i++) {
char c = target.charAt(i);
if (c == 0x0D) {
- writer.write(XD);
+ writer.write(XD.clone());
} else {
if (c < 0x80) {
writer.write(c);
@@ -778,14 +780,14 @@
for (int i = 0; i < length; i++) {
char c = data.charAt(i);
if (c == 0x0D) {
- writer.write(XD);
+ writer.write(XD.clone());
} else {
UtfHelpper.writeCharToUtf8(c, writer);
}
}
}
- writer.write(END_PI);
+ writer.write(END_PI.clone());
if (position == NODE_BEFORE_DOCUMENT_ELEMENT) {
writer.write('\n');
}
@@ -804,7 +806,7 @@
if (position == NODE_AFTER_DOCUMENT_ELEMENT) {
writer.write('\n');
}
- writer.write(BEGIN_COMM);
+ writer.write(BEGIN_COMM.clone());
final String data = currentComment.getData();
final int length = data.length();
@@ -812,7 +814,7 @@
for (int i = 0; i < length; i++) {
char c = data.charAt(i);
if (c == 0x0D) {
- writer.write(XD);
+ writer.write(XD.clone());
} else {
if (c < 0x80) {
writer.write(c);
@@ -822,7 +824,7 @@
}
}
- writer.write(END_COMM);
+ writer.write(END_COMM.clone());
if (position == NODE_BEFORE_DOCUMENT_ELEMENT) {
writer.write('\n');
}
@@ -846,19 +848,19 @@
switch (c) {
case '&' :
- toWrite = AMP;
+ toWrite = AMP.clone();
break;
case '<' :
- toWrite = LT;
+ toWrite = LT.clone();
break;
case '>' :
- toWrite = GT;
+ toWrite = GT.clone();
break;
case 0xD :
- toWrite = XD;
+ toWrite = XD.clone();
break;
default :