--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Wed Jul 17 09:31:39 2013 -0700
@@ -50,9 +50,9 @@
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.NamespaceSupport;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.xml.internal.stream.Entity;
import javax.xml.XMLConstants;
@@ -382,7 +382,7 @@
protected boolean foundBuiltInRefs = false;
- protected SecurityManager fSecurityManager = null;
+ protected XMLSecurityManager fSecurityManager = null;
//skip element algorithm
static final short MAX_DEPTH_LIMIT = 5 ;
@@ -569,8 +569,10 @@
// xerces features
fReportCdataEvent = componentManager.getFeature(Constants.STAX_REPORT_CDATA_EVENT, true);
- fSecurityManager = (SecurityManager)componentManager.getProperty(Constants.SECURITY_MANAGER, null);
- fElementAttributeLimit = (fSecurityManager != null)?fSecurityManager.getElementAttrLimit():0;
+ fSecurityManager = (XMLSecurityManager)componentManager.getProperty(Constants.SECURITY_MANAGER, null);
+ fElementAttributeLimit = (fSecurityManager != null)?
+ fSecurityManager.getLimit(XMLSecurityManager.Limit.ELEMENT_ATTRIBUTE_LIMIT):0;
+
fNotifyBuiltInRefs = componentManager.getFeature(NOTIFY_BUILTIN_REFS, false);
@@ -951,6 +953,7 @@
// scan decl
super.scanXMLDeclOrTextDecl(scanningTextDecl, fStrings);
+
fMarkupDepth--;
// pseudo-attribute values
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Wed Jul 17 09:31:39 2013 -0700
@@ -28,9 +28,9 @@
import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler;
import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager;
import com.sun.org.apache.xerces.internal.util.*;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.URI;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
import com.sun.org.apache.xerces.internal.xni.XNIException;
@@ -324,7 +324,7 @@
// stores defaults for entity expansion limit if it has
// been set on the configuration.
- protected SecurityManager fSecurityManager = null;
+ protected XMLSecurityManager fSecurityManager = null;
/**
* True if the document entity is standalone. This should really
@@ -1482,7 +1482,7 @@
fEntityResolver = (XMLEntityResolver)componentManager.getProperty(ENTITY_RESOLVER, null);
fStaxEntityResolver = (StaxEntityResolverWrapper)componentManager.getProperty(STAX_ENTITY_RESOLVER, null);
fValidationManager = (ValidationManager)componentManager.getProperty(VALIDATION_MANAGER, null);
- fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER, null);
+ fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER, null);
// JAXP 1.5 feature
fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT);
@@ -1499,7 +1499,9 @@
// a class acting as a component manager but not
// implementing that interface for whatever reason.
public void reset() {
- fEntityExpansionLimit = (fSecurityManager != null)?fSecurityManager.getEntityExpansionLimit():0;
+ fEntityExpansionLimit = (fSecurityManager != null)?
+ fSecurityManager.getLimit(XMLSecurityManager.Limit.ENTITY_EXPANSION_LIMIT):0;
+
// initialize state
fStandalone = false;
@@ -1635,8 +1637,10 @@
}
if (suffixLength == Constants.SECURITY_MANAGER_PROPERTY.length() &&
propertyId.endsWith(Constants.SECURITY_MANAGER_PROPERTY)) {
- fSecurityManager = (SecurityManager)value;
- fEntityExpansionLimit = (fSecurityManager != null)?fSecurityManager.getEntityExpansionLimit():0;
+ fSecurityManager = (XMLSecurityManager)value;
+ fEntityExpansionLimit = (fSecurityManager != null)?
+ fSecurityManager.getLimit(XMLSecurityManager.Limit.ENTITY_EXPANSION_LIMIT):0;
+
}
}
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java Wed Jul 17 09:31:39 2013 -0700
@@ -499,7 +499,7 @@
reportFatalError("SDDeclInvalid", new Object[] {standalone});
}
} else {
- reportFatalError("EncodingDeclRequired", null);
+ reportFatalError("SDDeclNameInvalid", null);
}
break;
}
@@ -564,7 +564,7 @@
XMLString value)
throws IOException, XNIException {
- String name = fEntityScanner.scanName();
+ String name = scanPseudoAttributeName();
// XMLEntityManager.print(fEntityManager.getCurrentEntity());
if (name == null) {
@@ -617,6 +617,35 @@
} // scanPseudoAttribute(XMLString):String
/**
+ * Scans the name of a pseudo attribute. The only legal names
+ * in XML 1.0/1.1 documents are 'version', 'encoding' and 'standalone'.
+ *
+ * @return the name of the pseudo attribute or <code>null</code>
+ * if a legal pseudo attribute name could not be scanned.
+ */
+ private String scanPseudoAttributeName() throws IOException, XNIException {
+ final int ch = fEntityScanner.peekChar();
+ switch (ch) {
+ case 'v':
+ if (fEntityScanner.skipString(fVersionSymbol)) {
+ return fVersionSymbol;
+ }
+ break;
+ case 'e':
+ if (fEntityScanner.skipString(fEncodingSymbol)) {
+ return fEncodingSymbol;
+ }
+ break;
+ case 's':
+ if (fEntityScanner.skipString(fStandaloneSymbol)) {
+ return fStandaloneSymbol;
+ }
+ break;
+ }
+ return null;
+ } // scanPseudoAttributeName()
+
+ /**
* Scans a processing instruction.
* <p>
* <pre>
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties Wed Jul 17 09:31:39 2013 -0700
@@ -44,6 +44,7 @@
# 2.9 Standalone Document Declaration
SDDeclInvalid = The standalone document declaration value must be \"yes\" or \"no\", not \"{0}\".
+ SDDeclNameInvalid = The standalone name in XML declaration may be misspelled.
# 2.12 Language Identification
XMLLangInvalid = The xml:lang attribute value \"{0}\" is an invalid language identifier.
# 3. Logical Structures
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java Wed Jul 17 09:31:39 2013 -0700
@@ -21,13 +21,13 @@
package com.sun.org.apache.xerces.internal.impl.xs.models;
+import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
-import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
-import com.sun.org.apache.xerces.internal.util.SecurityManager ;
import com.sun.org.apache.xerces.internal.impl.dtd.models.CMNode;
+import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
+import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
-import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
-import com.sun.org.apache.xerces.internal.impl.Constants;
/**
*
@@ -68,7 +68,7 @@
// stores defaults for different security holes (maxOccurLimit in current context) if it has
// been set on the configuration.
- private SecurityManager fSecurityManager = null;
+ private XMLSecurityManager fSecurityManager = null;
/** default constructor */
public CMNodeFactory() {
@@ -77,10 +77,10 @@
public void reset(XMLComponentManager componentManager){
fErrorReporter = (XMLErrorReporter)componentManager.getProperty(ERROR_REPORTER);
try {
- fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER);
+ fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER);
//we are setting the limit of number of nodes to 3times the maxOccur value..
if(fSecurityManager != null){
- maxNodeLimit = fSecurityManager.getMaxOccurNodeLimit() * MULTIPLICITY ;
+ maxNodeLimit = fSecurityManager.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT) * MULTIPLICITY ;
}
}
catch (XMLConfigurationException e) {
@@ -150,8 +150,9 @@
if (suffixLength == Constants.SECURITY_MANAGER_PROPERTY.length() &&
propertyId.endsWith(Constants.SECURITY_MANAGER_PROPERTY)) {
- fSecurityManager = (SecurityManager)value;
- maxNodeLimit = (fSecurityManager != null) ? fSecurityManager.getMaxOccurNodeLimit() * MULTIPLICITY : 0 ;
+ fSecurityManager = (XMLSecurityManager)value;
+ maxNodeLimit = (fSecurityManager != null) ?
+ fSecurityManager.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT) * MULTIPLICITY : 0 ;
return;
}
if (suffixLength == Constants.ERROR_REPORTER_PROPERTY.length() &&
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java Wed Jul 17 09:31:39 2013 -0700
@@ -40,6 +40,7 @@
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.XMLChar;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.QName;
import com.sun.org.apache.xerces.internal.xs.XSConstants;
import java.util.HashMap;
@@ -1194,7 +1195,7 @@
if (!optimize) {
//Revisit :: IMO this is not right place to check
// maxOccurNodeLimit.
- int maxOccurNodeLimit = fSchemaHandler.fSecureProcessing.getMaxOccurNodeLimit();
+ int maxOccurNodeLimit = fSchemaHandler.fSecureProcessing.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT);
if (max > maxOccurNodeLimit) {
reportSchemaFatalError("maxOccurLimit", new Object[] {new Integer(maxOccurNodeLimit)}, element);
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java Wed Jul 17 09:31:39 2013 -0700
@@ -70,7 +70,6 @@
import com.sun.org.apache.xerces.internal.util.DefaultErrorHandler;
import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
import com.sun.org.apache.xerces.internal.util.SAXInputSource;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.StAXInputSource;
import com.sun.org.apache.xerces.internal.util.StAXLocationWrapper;
import com.sun.org.apache.xerces.internal.util.SymbolHash;
@@ -78,6 +77,7 @@
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.QName;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
@@ -257,7 +257,7 @@
*
* <p>Protected to allow access by any traverser.</p>
*/
- protected SecurityManager fSecureProcessing = null;
+ protected XMLSecurityManager fSecureProcessing = null;
private String fAccessExternalSchema;
@@ -3501,7 +3501,7 @@
fSecureProcessing = null;
if( componentManager!=null ) {
- fSecureProcessing = (SecurityManager) componentManager.getProperty(SECURE_PROCESSING, null);
+ fSecureProcessing = (XMLSecurityManager) componentManager.getProperty(SECURE_PROCESSING, null);
}
//set entity resolver
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java Wed Jul 17 09:31:39 2013 -0700
@@ -36,7 +36,7 @@
import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
import com.sun.org.apache.xerces.internal.parsers.DOMParser;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -162,7 +162,7 @@
// If the secure processing feature is on set a security manager.
if (secureProcessing) {
- domParser.setProperty(SECURITY_MANAGER, new SecurityManager());
+ domParser.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
/**
* By default, secure processing is set, no external access is allowed.
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java Wed Jul 17 09:31:39 2013 -0700
@@ -34,8 +34,8 @@
import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.Status;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -151,7 +151,7 @@
// If the secure processing feature is on set a security manager.
if (secureProcessing) {
- xmlReader.setProperty0(SECURITY_MANAGER, new SecurityManager());
+ xmlReader.setProperty0(SECURITY_MANAGER, new XMLSecurityManager());
/**
* By default, secure processing is set, no external access is allowed.
* However, we need to check if it is actively set on the factory since we
@@ -413,7 +413,7 @@
}
if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
try {
- setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
+ setProperty(SECURITY_MANAGER, value ? new XMLSecurityManager() : null);
}
catch (SAXNotRecognizedException exc) {
// If the property is not supported
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Wed Jul 17 09:31:39 2013 -0700
@@ -24,7 +24,7 @@
import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
import com.sun.org.apache.xerces.internal.parsers.XML11Configuration;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource;
import com.sun.org.apache.xerces.internal.xni.parser.XMLParseException;
@@ -170,7 +170,7 @@
private XMLParserConfiguration initialize() {
XML11Configuration config = new XML11Configuration();
if (fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
- config.setProperty(SECURITY_MANAGER, new SecurityManager());
+ config.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
}
config.setProperty(ENTITY_RESOLVER, fComponentManager.getProperty(ENTITY_RESOLVER));
config.setProperty(ERROR_HANDLER, fComponentManager.getProperty(ERROR_HANDLER));
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Wed Jul 17 09:31:39 2013 -0700
@@ -49,10 +49,10 @@
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.URI;
import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.QName;
@@ -679,7 +679,7 @@
reader = spf.newSAXParser().getXMLReader();
// If this is a Xerces SAX parser, set the security manager if there is one
if (reader instanceof com.sun.org.apache.xerces.internal.parsers.SAXParser) {
- SecurityManager securityManager = (SecurityManager) fComponentManager.getProperty(SECURITY_MANAGER);
+ XMLSecurityManager securityManager = (XMLSecurityManager) fComponentManager.getProperty(SECURITY_MANAGER);
if (securityManager != null) {
try {
reader.setProperty(SECURITY_MANAGER, securityManager);
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Wed Jul 17 09:31:39 2013 -0700
@@ -41,11 +41,11 @@
import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
import com.sun.org.apache.xerces.internal.util.SAXInputSource;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.StAXInputSource;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription;
@@ -79,7 +79,7 @@
private static final String XMLGRAMMAR_POOL =
Constants.XERCES_PROPERTY_PREFIX + Constants.XMLGRAMMAR_POOL_PROPERTY;
- /** Property identifier: SecurityManager. */
+ /** Property identifier: XMLSecurityManager. */
private static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
@@ -108,8 +108,8 @@
/** The ErrorHandlerWrapper */
private ErrorHandlerWrapper fErrorHandlerWrapper;
- /** The SecurityManager. */
- private SecurityManager fSecurityManager;
+ /** The XMLSecurityManager. */
+ private XMLSecurityManager fSecurityManager;
/** The container for the real grammar pool. */
private XMLGrammarPoolWrapper fXMLGrammarPoolWrapper;
@@ -137,7 +137,7 @@
fXMLSchemaLoader.setErrorHandler(fErrorHandlerWrapper);
// Enable secure processing feature by default
- fSecurityManager = new SecurityManager();
+ fSecurityManager = new XMLSecurityManager();
fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
//by default, the secure feature is set to true, otherwise the default would have been 'file'
@@ -365,7 +365,7 @@
"jaxp-secureprocessing-feature", null));
}
if (value) {
- fSecurityManager = new SecurityManager();
+ fSecurityManager = new XMLSecurityManager();
fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
} else {
@@ -404,7 +404,7 @@
"ProperyNameNull", null));
}
if (name.equals(SECURITY_MANAGER)) {
- fSecurityManager = (SecurityManager) object;
+ fSecurityManager = (XMLSecurityManager) object;
fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
return;
}
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java Wed Jul 17 09:31:39 2013 -0700
@@ -39,9 +39,9 @@
import com.sun.org.apache.xerces.internal.util.NamespaceSupport;
import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
import com.sun.org.apache.xerces.internal.util.PropertyState;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
@@ -182,7 +182,7 @@
private final HashMap fInitProperties = new HashMap();
/** Stores the initial security manager. */
- private final SecurityManager fInitSecurityManager;
+ private final XMLSecurityManager fInitSecurityManager;
//
// User Objects
@@ -221,7 +221,7 @@
if (System.getSecurityManager() != null) {
_isSecureMode = true;
- setProperty(SECURITY_MANAGER, new SecurityManager());
+ setProperty(SECURITY_MANAGER, new XMLSecurityManager());
} else {
fComponents.put(SECURITY_MANAGER, null);
}
@@ -242,7 +242,7 @@
// if the secure processing feature is set to true, add a security manager to the configuration
Boolean secureProcessing = grammarContainer.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING);
if (Boolean.TRUE.equals(secureProcessing)) {
- fInitSecurityManager = new SecurityManager();
+ fInitSecurityManager = new XMLSecurityManager();
}
else {
fInitSecurityManager = null;
@@ -308,7 +308,7 @@
if (_isSecureMode && !value) {
throw new XMLConfigurationException(Status.NOT_ALLOWED, XMLConstants.FEATURE_SECURE_PROCESSING);
}
- setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
+ setProperty(SECURITY_MANAGER, value ? new XMLSecurityManager() : null);
return;
}
fConfigUpdated = true;
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java Wed Jul 17 09:31:39 2013 -0700
@@ -25,10 +25,10 @@
import com.sun.org.apache.xerces.internal.util.EntityResolverWrapper;
import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolHash;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.QName;
@@ -1651,7 +1651,7 @@
else if (featureId.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
if (state) {
if (fConfiguration.getProperty(SECURITY_MANAGER )==null) {
- fConfiguration.setProperty(SECURITY_MANAGER, new SecurityManager());
+ fConfiguration.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
}
}
}
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java Wed Jul 17 09:31:39 2013 -0700
@@ -23,8 +23,8 @@
import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
/**
* This configuration allows Xerces to behave in a security-conscious manner; that is,
@@ -106,8 +106,8 @@
XMLComponentManager parentSettings) {
super(symbolTable, grammarPool, parentSettings);
- // create the SecurityManager property:
- setProperty(SECURITY_MANAGER_PROPERTY, new SecurityManager());
+ // create the XMLSecurityManager property:
+ setProperty(SECURITY_MANAGER_PROPERTY, new XMLSecurityManager());
} // <init>(SymbolTable,XMLGrammarPool)
} // class SecurityConfiguration
--- a/jaxp/src/com/sun/org/apache/xerces/internal/util/SecurityManager.java Tue Jul 16 14:06:04 2013 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,226 +0,0 @@
-/*
- * reserved comment block
- * DO NOT REMOVE OR ALTER!
- */
-/*
- * The Apache Software License, Version 1.1
- *
- *
- * Copyright (c) 2003 The Apache Software Foundation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. The end-user documentation included with the redistribution,
- * if any, must include the following acknowledgment:
- * "This product includes software developed by the
- * Apache Software Foundation (http://www.apache.org/)."
- * Alternately, this acknowledgment may appear in the software itself,
- * if and wherever such third-party acknowledgments normally appear.
- *
- * 4. The names "Xerces" and "Apache Software Foundation" must
- * not be used to endorse or promote products derived from this
- * software without prior written permission. For written
- * permission, please contact apache@apache.org.
- *
- * 5. Products derived from this software may not be called "Apache",
- * nor may "Apache" appear in their name, without prior written
- * permission of the Apache Software Foundation.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation and was
- * originally based on software copyright (c) 1999, International
- * Business Machines, Inc., http://www.apache.org. For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- */
-
-package com.sun.org.apache.xerces.internal.util;
-import com.sun.org.apache.xerces.internal.impl.Constants;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
-/**
- * This class is a container for parser settings that relate to
- * security, or more specifically, it is intended to be used to prevent denial-of-service
- * attacks from being launched against a system running Xerces.
- * Any component that is aware of a denial-of-service attack that can arise
- * from its processing of a certain kind of document may query its Component Manager
- * for the property (http://apache.org/xml/properties/security-manager)
- * whose value will be an instance of this class.
- * If no value has been set for the property, the component should proceed in the "usual" (spec-compliant)
- * manner. If a value has been set, then it must be the case that the component in
- * question needs to know what method of this class to query. This class
- * will provide defaults for all known security issues, but will also provide
- * setters so that those values can be tailored by applications that care.
- *
- * @author Neil Graham, IBM
- *
- * @version $Id: SecurityManager.java,v 1.5 2010-11-01 04:40:14 joehw Exp $
- */
-public final class SecurityManager {
-
- //
- // Constants
- //
-
- // default value for entity expansion limit
- private final static int DEFAULT_ENTITY_EXPANSION_LIMIT = 64000;
-
- /** Default value of number of nodes created. **/
- private final static int DEFAULT_MAX_OCCUR_NODE_LIMIT = 5000;
-
- //
- // Data
- //
-
- private final static int DEFAULT_ELEMENT_ATTRIBUTE_LIMIT = 10000;
-
- /** Entity expansion limit. **/
- private int entityExpansionLimit;
-
- /** W3C XML Schema maxOccurs limit. **/
- private int maxOccurLimit;
-
- private int fElementAttributeLimit;
- // default constructor. Establishes default values for
- // all known security holes.
- /**
- * Default constructor. Establishes default values
- * for known security vulnerabilities.
- */
- public SecurityManager() {
- entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
- maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT ;
- fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
- //We are reading system properties only once ,
- //at the time of creation of this object ,
- readSystemProperties();
- }
-
- /**
- * <p>Sets the number of entity expansions that the
- * parser should permit in a document.</p>
- *
- * @param limit the number of entity expansions
- * permitted in a document
- */
- public void setEntityExpansionLimit(int limit) {
- entityExpansionLimit = limit;
- }
-
- /**
- * <p>Returns the number of entity expansions
- * that the parser permits in a document.</p>
- *
- * @return the number of entity expansions
- * permitted in a document
- */
- public int getEntityExpansionLimit() {
- return entityExpansionLimit;
- }
-
- /**
- * <p>Sets the limit of the number of content model nodes
- * that may be created when building a grammar for a W3C
- * XML Schema that contains maxOccurs attributes with values
- * other than "unbounded".</p>
- *
- * @param limit the maximum value for maxOccurs other
- * than "unbounded"
- */
- public void setMaxOccurNodeLimit(int limit){
- maxOccurLimit = limit;
- }
-
- /**
- * <p>Returns the limit of the number of content model nodes
- * that may be created when building a grammar for a W3C
- * XML Schema that contains maxOccurs attributes with values
- * other than "unbounded".</p>
- *
- * @return the maximum value for maxOccurs other
- * than "unbounded"
- */
- public int getMaxOccurNodeLimit(){
- return maxOccurLimit;
- }
-
- public int getElementAttrLimit(){
- return fElementAttributeLimit;
- }
-
- public void setElementAttrLimit(int limit){
- fElementAttributeLimit = limit;
- }
-
- private void readSystemProperties(){
-
- //TODO: also read SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT
- try {
- String value = getSystemProperty(Constants.ENTITY_EXPANSION_LIMIT);
- if(value != null && !value.equals("")){
- entityExpansionLimit = Integer.parseInt(value);
- if (entityExpansionLimit < 0)
- entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
- }
- else
- entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
- }catch(Exception ex){}
-
- try {
- String value = getSystemProperty(Constants.MAX_OCCUR_LIMIT);
- if(value != null && !value.equals("")){
- maxOccurLimit = Integer.parseInt(value);
- if (maxOccurLimit < 0)
- maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
- }
- else
- maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
- }catch(Exception ex){}
-
- try {
- String value = getSystemProperty(Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT);
- if(value != null && !value.equals("")){
- fElementAttributeLimit = Integer.parseInt(value);
- if ( fElementAttributeLimit < 0)
- fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
- }
- else
- fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
-
- }catch(Exception ex){}
-
- }
-
- private String getSystemProperty(final String propName) {
- return AccessController.doPrivileged(new PrivilegedAction<String>() {
- public String run() {
- return System.getProperty(propName);
- }
- });
- }
-} // class SecurityManager
--- a/jaxp/src/com/sun/org/apache/xerces/internal/util/SymbolTable.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/util/SymbolTable.java Wed Jul 17 09:31:39 2013 -0700
@@ -173,7 +173,7 @@
for (int i = 0; i < length; i++) {
code = code * 37 + symbol.charAt(i);
}
- return code & 0x7FFFFFF;
+ return code & 0x7FFFFFFF;
} // hash(String):int
@@ -194,7 +194,7 @@
for (int i = 0; i < length; i++) {
code = code * 37 + buffer[offset + i];
}
- return code & 0x7FFFFFF;
+ return code & 0x7FFFFFFF;
} // hash(char[],int,int):int
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java Wed Jul 17 09:31:39 2013 -0700
@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.sun.org.apache.xerces.internal.utils;
+
+import com.sun.org.apache.xerces.internal.impl.Constants;
+
+/**
+ * This class manages standard and implementation-specific limitations.
+ *
+ */
+public final class XMLSecurityManager {
+
+ /**
+ * States of the settings of a property, in the order: default value, value
+ * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
+ * properties, and jaxp api properties
+ */
+ public static enum State {
+ //this order reflects the overriding order
+ DEFAULT, FSP, JAXPDOTPROPERTIES, SYSTEMPROPERTY, APIPROPERTY
+ }
+
+ /**
+ * Limits managed by the security manager
+ */
+ public static enum Limit {
+ ENTITY_EXPANSION_LIMIT(64000),
+ MAX_OCCUR_NODE_LIMIT(5000),
+ ELEMENT_ATTRIBUTE_LIMIT(10000);
+
+ final int defaultValue;
+
+ Limit(int value) {
+ this.defaultValue = value;
+ }
+
+ int defaultValue() {
+ return defaultValue;
+ }
+ }
+
+ /**
+ * Values of the limits as defined in enum Limit
+ */
+ private final int[] limits;
+ /**
+ * States of the settings for each limit in limits above
+ */
+ private State[] states = {State.DEFAULT, State.DEFAULT, State.DEFAULT, State.DEFAULT};
+
+ /**
+ * Default constructor. Establishes default values for known security
+ * vulnerabilities.
+ */
+ public XMLSecurityManager() {
+ limits = new int[Limit.values().length];
+ for (Limit limit : Limit.values()) {
+ limits[limit.ordinal()] = limit.defaultValue();
+ }
+ //read system properties or jaxp.properties
+ readSystemProperties();
+ }
+
+ /**
+ * Sets the limit for a specific type of XML constructs. This can be either
+ * the size or the number of the constructs.
+ *
+ * @param type the type of limitation
+ * @param state the state of limitation
+ * @param limit the limit to the type
+ */
+ public void setLimit(Limit limit, State state, int value) {
+ //only update if it shall override
+ if (state.compareTo(states[limit.ordinal()]) >= 0) {
+ limits[limit.ordinal()] = value;
+ states[limit.ordinal()] = state;
+ }
+ }
+
+ /**
+ * Returns the limit set for the type specified
+ *
+ * @param limit the type of limitation
+ * @return the limit to the type
+ */
+ public int getLimit(Limit limit) {
+ return limits[limit.ordinal()];
+ }
+
+ /**
+ * Read from system properties, or those in jaxp.properties
+ */
+ private void readSystemProperties() {
+ getSystemProperty(Limit.ENTITY_EXPANSION_LIMIT, Constants.ENTITY_EXPANSION_LIMIT);
+ getSystemProperty(Limit.MAX_OCCUR_NODE_LIMIT, Constants.MAX_OCCUR_LIMIT);
+ getSystemProperty(Limit.ELEMENT_ATTRIBUTE_LIMIT,
+ Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT);
+ }
+
+ /**
+ * Read from system properties, or those in jaxp.properties
+ *
+ * @param limit the type of the property
+ * @param property the property name
+ */
+ private void getSystemProperty(Limit limit, String property) {
+ try {
+ String value = SecuritySupport.getSystemProperty(property);
+ if (value != null && !value.equals("")) {
+ limits[limit.ordinal()] = Integer.parseInt(value);
+ states[limit.ordinal()] = State.SYSTEMPROPERTY;
+ return;
+ }
+
+ value = SecuritySupport.readJAXPProperty(property);
+ if (value != null && !value.equals("")) {
+ limits[limit.ordinal()] = Integer.parseInt(value);
+ states[limit.ordinal()] = State.JAXPDOTPROPERTIES;
+ }
+ } catch (NumberFormatException e) {
+ //invalid setting ignored
+ }
+ }
+}
--- a/jaxp/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java Wed Jul 17 09:31:39 2013 -0700
@@ -37,7 +37,6 @@
import com.sun.org.apache.xerces.internal.util.HTTPInputSource;
import com.sun.org.apache.xerces.internal.util.IntStack;
import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.URI;
import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
@@ -45,6 +44,7 @@
import com.sun.org.apache.xerces.internal.util.XMLChar;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.QName;
@@ -292,7 +292,7 @@
protected SymbolTable fSymbolTable;
protected XMLErrorReporter fErrorReporter;
protected XMLEntityResolver fEntityResolver;
- protected SecurityManager fSecurityManager;
+ protected XMLSecurityManager fSecurityManager;
/**
* comma-delimited list of protocols that are allowed for the purpose
* of accessing external dtd or entity references
@@ -525,8 +525,8 @@
// Get security manager.
try {
- SecurityManager value =
- (SecurityManager)componentManager.getProperty(
+ XMLSecurityManager value =
+ (XMLSecurityManager)componentManager.getProperty(
SECURITY_MANAGER);
if (value != null) {
@@ -681,7 +681,7 @@
return;
}
if (propertyId.equals(SECURITY_MANAGER)) {
- fSecurityManager = (SecurityManager)value;
+ fSecurityManager = (XMLSecurityManager)value;
if (fChildConfig != null) {
fChildConfig.setProperty(propertyId, value);
}
--- a/jaxp/src/com/sun/xml/internal/stream/Entity.java Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/xml/internal/stream/Entity.java Wed Jul 17 09:31:39 2013 -0700
@@ -248,7 +248,7 @@
public int fBufferSize = DEFAULT_BUFFER_SIZE;
/** Default buffer size before we've finished with the XMLDecl: */
- public static final int DEFAULT_XMLDECL_BUFFER_SIZE = 28;
+ public static final int DEFAULT_XMLDECL_BUFFER_SIZE = 64;
/** Default internal entity buffer size (1024). */
public static final int DEFAULT_INTERNAL_BUFFER_SIZE = 1024;