--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java Wed Jul 05 19:03:53 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java Tue Jul 16 14:06:04 2013 -0700
@@ -271,6 +271,7 @@
_accessExternalDTD = (String)_tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_DTD);
_readerManager = XMLReaderManager.getInstance(_useServicesMechanism);
_readerManager.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD);
+ _readerManager.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, _isSecureProcessing);
//_isIncremental = tfactory._incremental;
}
@@ -286,6 +287,7 @@
*/
public void setSecureProcessing(boolean flag) {
_isSecureProcessing = flag;
+ _readerManager.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, _isSecureProcessing);
}
/**
* Return the state of the services mechanism feature.
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java Wed Jul 05 19:03:53 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java Tue Jul 16 14:06:04 2013 -0700
@@ -105,6 +105,13 @@
if (reader == null) {
try {
reader= XMLReaderFactory.createXMLReader();
+ try {
+ reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
+ xsltc.isSecureProcessing());
+ } catch (SAXNotRecognizedException e) {
+ System.err.println("Warning: " + reader.getClass().getName() + ": "
+ + e.getMessage());
+ }
} catch (Exception e ) {
try {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Wed Jul 05 19:03:53 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Tue Jul 16 14:06:04 2013 -0700
@@ -20,28 +20,27 @@
package com.sun.org.apache.xerces.internal.jaxp.validation;
-import java.lang.ref.SoftReference;
-import java.io.IOException;
-
-import javax.xml.transform.Result;
-import javax.xml.transform.Source;
-import javax.xml.transform.sax.SAXTransformerFactory;
-import javax.xml.transform.sax.TransformerHandler;
-import javax.xml.transform.stream.StreamSource;
-import javax.xml.transform.stream.StreamResult;
-import javax.xml.transform.TransformerConfigurationException;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.TransformerFactoryConfigurationError;
-import javax.xml.XMLConstants;
-
import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
import com.sun.org.apache.xerces.internal.parsers.XML11Configuration;
+import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource;
import com.sun.org.apache.xerces.internal.xni.parser.XMLParseException;
import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
+import java.io.IOException;
+import java.lang.ref.SoftReference;
+import javax.xml.XMLConstants;
+import javax.xml.transform.Result;
+import javax.xml.transform.Source;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.sax.SAXTransformerFactory;
+import javax.xml.transform.sax.TransformerHandler;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.stream.StreamSource;
import org.xml.sax.SAXException;
/**
@@ -86,6 +85,11 @@
Constants.XERCES_PROPERTY_PREFIX + Constants.VALIDATION_MANAGER_PROPERTY;
private static final String DEFAULT_TRANSFORMER_IMPL = "com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl";
+
+ /** Property id: security manager. */
+ private static final String SECURITY_MANAGER =
+ Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
+
//
// Data
//
@@ -165,6 +169,9 @@
private XMLParserConfiguration initialize() {
XML11Configuration config = new XML11Configuration();
+ if (fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
+ config.setProperty(SECURITY_MANAGER, new SecurityManager());
+ }
config.setProperty(ENTITY_RESOLVER, fComponentManager.getProperty(ENTITY_RESOLVER));
config.setProperty(ERROR_HANDLER, fComponentManager.getProperty(ERROR_HANDLER));
XMLErrorReporter errorReporter = (XMLErrorReporter) fComponentManager.getProperty(ERROR_REPORTER);
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Wed Jul 05 19:03:53 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Tue Jul 16 14:06:04 2013 -0700
@@ -674,6 +674,8 @@
SAXParserFactory.newInstance() : new SAXParserFactoryImpl();
spf.setNamespaceAware(true);
try {
+ spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
+ fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING));
reader = spf.newSAXParser().getXMLReader();
// If this is a Xerces SAX parser, set the security manager if there is one
if (reader instanceof com.sun.org.apache.xerces.internal.parsers.SAXParser) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java Wed Jul 05 19:03:53 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java Tue Jul 16 14:06:04 2013 -0700
@@ -20,16 +20,13 @@
package com.sun.org.apache.xerces.internal.parsers;
-import java.io.IOException;
-import java.util.Locale;
-
import com.sun.org.apache.xerces.internal.impl.Constants;
-import com.sun.org.apache.xerces.internal.util.Status;
-import com.sun.org.apache.xerces.internal.xs.PSVIProvider;
+import com.sun.org.apache.xerces.internal.util.EntityResolver2Wrapper;
import com.sun.org.apache.xerces.internal.util.EntityResolverWrapper;
-import com.sun.org.apache.xerces.internal.util.EntityResolver2Wrapper;
import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
+import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolHash;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
@@ -48,15 +45,17 @@
import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
import com.sun.org.apache.xerces.internal.xs.AttributePSVI;
import com.sun.org.apache.xerces.internal.xs.ElementPSVI;
+import com.sun.org.apache.xerces.internal.xs.PSVIProvider;
+import java.io.IOException;
+import java.util.Locale;
+import javax.xml.XMLConstants;
import org.xml.sax.AttributeList;
-import org.xml.sax.Attributes;
import org.xml.sax.ContentHandler;
import org.xml.sax.DTDHandler;
import org.xml.sax.DocumentHandler;
import org.xml.sax.EntityResolver;
import org.xml.sax.ErrorHandler;
import org.xml.sax.InputSource;
-import org.xml.sax.Locator;
import org.xml.sax.Parser;
import org.xml.sax.SAXException;
import org.xml.sax.SAXNotRecognizedException;
@@ -131,6 +130,10 @@
protected static final String DOM_NODE =
Constants.SAX_PROPERTY_PREFIX + Constants.DOM_NODE_PROPERTY;
+ /** Property id: security manager. */
+ private static final String SECURITY_MANAGER =
+ Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
+
/** Recognized properties. */
private static final String[] RECOGNIZED_PROPERTIES = {
LEXICAL_HANDLER,
@@ -1645,19 +1648,13 @@
// Drop through and perform default processing
//
}
-
- //
- // Xerces Features
- //
-
- /*
- else if (featureId.startsWith(XERCES_FEATURES_PREFIX)) {
- String feature = featureId.substring(XERCES_FEATURES_PREFIX.length());
- //
- // Drop through and perform default processing
- //
+ else if (featureId.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
+ if (state) {
+ if (fConfiguration.getProperty(SECURITY_MANAGER )==null) {
+ fConfiguration.setProperty(SECURITY_MANAGER, new SecurityManager());
+ }
+ }
}
- */
//
// Default handling
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java Wed Jul 05 19:03:53 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java Tue Jul 16 14:06:04 2013 -0700
@@ -20,14 +20,6 @@
package com.sun.org.apache.xerces.internal.parsers;
-import java.io.File;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.Locale;
-import java.util.Properties;
-import javax.xml.XMLConstants;
-
import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.impl.XML11DTDScannerImpl;
import com.sun.org.apache.xerces.internal.impl.XML11DocumentScannerImpl;
@@ -53,7 +45,6 @@
import com.sun.org.apache.xerces.internal.util.FeatureState;
import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
import com.sun.org.apache.xerces.internal.util.PropertyState;
-import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler;
@@ -72,6 +63,11 @@
import com.sun.org.apache.xerces.internal.xni.parser.XMLErrorHandler;
import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource;
import com.sun.org.apache.xerces.internal.xni.parser.XMLPullParserConfiguration;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Locale;
+import javax.xml.XMLConstants;
/**
* This class is the configuration used to parse XML 1.0 and XML 1.1 documents.
@@ -453,26 +449,26 @@
XMLGrammarPool grammarPool,
XMLComponentManager parentSettings) {
- super(parentSettings);
+ super(parentSettings);
- // create a vector to hold all the components in use
- // XML 1.0 specialized components
- fComponents = new ArrayList();
- // XML 1.1 specialized components
- fXML11Components = new ArrayList();
- // Common components for XML 1.1. and XML 1.0
- fCommonComponents = new ArrayList();
+ // create a vector to hold all the components in use
+ // XML 1.0 specialized components
+ fComponents = new ArrayList();
+ // XML 1.1 specialized components
+ fXML11Components = new ArrayList();
+ // Common components for XML 1.1. and XML 1.0
+ fCommonComponents = new ArrayList();
- // create table for features and properties
- fFeatures = new HashMap();
- fProperties = new HashMap();
+ // create table for features and properties
+ fFeatures = new HashMap();
+ fProperties = new HashMap();
// add default recognized features
final String[] recognizedFeatures =
{
CONTINUE_AFTER_FATAL_ERROR, LOAD_EXTERNAL_DTD, // from XMLDTDScannerImpl
- VALIDATION,
- NAMESPACES,
+ VALIDATION,
+ NAMESPACES,
NORMALIZE_DATA, SCHEMA_ELEMENT_DEFAULT, SCHEMA_AUGMENT_PSVI,
GENERATE_SYNTHETIC_ANNOTATIONS, VALIDATE_ANNOTATIONS,
HONOUR_ALL_SCHEMALOCATIONS, NAMESPACE_GROWTH,
@@ -483,47 +479,48 @@
// features might not have been set and it would cause a
// not-recognized exception to be thrown. -Ac
XMLSCHEMA_VALIDATION, XMLSCHEMA_FULL_CHECKING,
- EXTERNAL_GENERAL_ENTITIES,
- EXTERNAL_PARAMETER_ENTITIES,
- PARSER_SETTINGS,
- XMLConstants.FEATURE_SECURE_PROCESSING
+ EXTERNAL_GENERAL_ENTITIES,
+ EXTERNAL_PARAMETER_ENTITIES,
+ PARSER_SETTINGS,
+ XMLConstants.FEATURE_SECURE_PROCESSING
};
+
addRecognizedFeatures(recognizedFeatures);
- // set state for default features
- fFeatures.put(VALIDATION, Boolean.FALSE);
- fFeatures.put(NAMESPACES, Boolean.TRUE);
- fFeatures.put(EXTERNAL_GENERAL_ENTITIES, Boolean.TRUE);
- fFeatures.put(EXTERNAL_PARAMETER_ENTITIES, Boolean.TRUE);
- fFeatures.put(CONTINUE_AFTER_FATAL_ERROR, Boolean.FALSE);
- fFeatures.put(LOAD_EXTERNAL_DTD, Boolean.TRUE);
- fFeatures.put(SCHEMA_ELEMENT_DEFAULT, Boolean.TRUE);
- fFeatures.put(NORMALIZE_DATA, Boolean.TRUE);
- fFeatures.put(SCHEMA_AUGMENT_PSVI, Boolean.TRUE);
- fFeatures.put(GENERATE_SYNTHETIC_ANNOTATIONS, Boolean.FALSE);
- fFeatures.put(VALIDATE_ANNOTATIONS, Boolean.FALSE);
- fFeatures.put(HONOUR_ALL_SCHEMALOCATIONS, Boolean.FALSE);
- fFeatures.put(NAMESPACE_GROWTH, Boolean.FALSE);
- fFeatures.put(TOLERATE_DUPLICATES, Boolean.FALSE);
- fFeatures.put(USE_GRAMMAR_POOL_ONLY, Boolean.FALSE);
- fFeatures.put(PARSER_SETTINGS, Boolean.TRUE);
- fFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ // set state for default features
+ fFeatures.put(VALIDATION, Boolean.FALSE);
+ fFeatures.put(NAMESPACES, Boolean.TRUE);
+ fFeatures.put(EXTERNAL_GENERAL_ENTITIES, Boolean.TRUE);
+ fFeatures.put(EXTERNAL_PARAMETER_ENTITIES, Boolean.TRUE);
+ fFeatures.put(CONTINUE_AFTER_FATAL_ERROR, Boolean.FALSE);
+ fFeatures.put(LOAD_EXTERNAL_DTD, Boolean.TRUE);
+ fFeatures.put(SCHEMA_ELEMENT_DEFAULT, Boolean.TRUE);
+ fFeatures.put(NORMALIZE_DATA, Boolean.TRUE);
+ fFeatures.put(SCHEMA_AUGMENT_PSVI, Boolean.TRUE);
+ fFeatures.put(GENERATE_SYNTHETIC_ANNOTATIONS, Boolean.FALSE);
+ fFeatures.put(VALIDATE_ANNOTATIONS, Boolean.FALSE);
+ fFeatures.put(HONOUR_ALL_SCHEMALOCATIONS, Boolean.FALSE);
+ fFeatures.put(NAMESPACE_GROWTH, Boolean.FALSE);
+ fFeatures.put(TOLERATE_DUPLICATES, Boolean.FALSE);
+ fFeatures.put(USE_GRAMMAR_POOL_ONLY, Boolean.FALSE);
+ fFeatures.put(PARSER_SETTINGS, Boolean.TRUE);
+ fFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
// add default recognized properties
final String[] recognizedProperties =
{
- SYMBOL_TABLE,
- ERROR_HANDLER,
- ENTITY_RESOLVER,
+ SYMBOL_TABLE,
+ ERROR_HANDLER,
+ ENTITY_RESOLVER,
ERROR_REPORTER,
ENTITY_MANAGER,
DOCUMENT_SCANNER,
DTD_SCANNER,
DTD_PROCESSOR,
DTD_VALIDATOR,
- DATATYPE_VALIDATOR_FACTORY,
- VALIDATION_MANAGER,
- SCHEMA_VALIDATOR,
- XML_STRING,
+ DATATYPE_VALIDATOR_FACTORY,
+ VALIDATION_MANAGER,
+ SCHEMA_VALIDATOR,
+ XML_STRING,
XMLGRAMMAR_POOL,
JAXP_SCHEMA_SOURCE,
JAXP_SCHEMA_LANGUAGE,
@@ -540,15 +537,15 @@
};
addRecognizedProperties(recognizedProperties);
- if (symbolTable == null) {
- symbolTable = new SymbolTable();
- }
- fSymbolTable = symbolTable;
- fProperties.put(SYMBOL_TABLE, fSymbolTable);
+ if (symbolTable == null) {
+ symbolTable = new SymbolTable();
+ }
+ fSymbolTable = symbolTable;
+ fProperties.put(SYMBOL_TABLE, fSymbolTable);
fGrammarPool = grammarPool;
if (fGrammarPool != null) {
- fProperties.put(XMLGRAMMAR_POOL, fGrammarPool);
+ fProperties.put(XMLGRAMMAR_POOL, fGrammarPool);
}
fEntityManager = new XMLEntityManager();
--- a/jaxp/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java Wed Jul 05 19:03:53 2017 +0200
+++ b/jaxp/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java Tue Jul 16 14:06:04 2013 -0700
@@ -26,11 +26,13 @@
import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
import com.sun.org.apache.xalan.internal.utils.SecuritySupport;
import java.util.HashMap;
+
import javax.xml.XMLConstants;
import javax.xml.parsers.FactoryConfigurationError;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.XMLReaderFactory;
@@ -63,6 +65,8 @@
private HashMap m_inUse;
private boolean m_useServicesMechanism = true;
+
+ private boolean _secureProcessing;
/**
* protocols allowed for external DTD references in source file and/or stylesheet.
*/
@@ -118,7 +122,12 @@
// TransformerFactory creates a reader via the
// XMLReaderFactory if setXMLReader is not used
reader = XMLReaderFactory.createXMLReader();
-
+ try {
+ reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, _secureProcessing);
+ } catch (SAXNotRecognizedException e) {
+ System.err.println("Warning: " + reader.getClass().getName() + ": "
+ + e.getMessage());
+ }
} catch (Exception e) {
try {
// If unable to create an instance, let's try to use
@@ -193,6 +202,15 @@
}
/**
+ * Set feature
+ */
+ public void setFeature(String name, boolean value) {
+ if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
+ _secureProcessing = value;
+ }
+ }
+
+ /**
* Get property value
*/
public String getProperty(String name) {