Merge
authorlana
Fri, 18 Jul 2014 08:25:22 -0700
changeset 25593 ba581cb2983f
parent 25589 8f7fca66dc12 (current diff)
parent 25592 208039591441 (diff)
child 25594 0cab903be9c5
Merge
--- a/jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java	Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java	Fri Jul 18 08:25:22 2014 -0700
@@ -90,6 +90,13 @@
      */
     public static final String JDK_XML_NAME_LIMIT =
             ORACLE_JAXP_PROPERTY_PREFIX + "maxXMLNameLimit";
+
+    /**
+     * JDK maxElementDepth limit
+     */
+    public static final String JDK_MAX_ELEMENT_DEPTH =
+            ORACLE_JAXP_PROPERTY_PREFIX + "maxElementDepth";
+
     /**
      * JDK property indicating whether the parser shall print out entity
      * count information
@@ -138,6 +145,11 @@
      */
     public static final String SP_XML_NAME_LIMIT = "jdk.xml.maxXMLNameLimit";
 
+    /**
+     * JDK maxElementDepth limit
+     */
+    public static final String SP_MAX_ELEMENT_DEPTH = "jdk.xml.maxElementDepth";
+
     //legacy System Properties
     public final static String ENTITY_EXPANSION_LIMIT = "entityExpansionLimit";
     public static final String ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ;
--- a/jaxp/src/com/sun/org/apache/xalan/internal/utils/ObjectFactory.java	Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/utils/ObjectFactory.java	Fri Jul 18 08:25:22 2014 -0700
@@ -38,8 +38,8 @@
     //
     // Constants
     //
-     private static final String XALAN_INTERNAL = "com.sun.org.apache.xalan.internal";
-     private static final String XERCES_INTERNAL = "com.sun.org.apache.xerces.internal";
+     private static final String JAXP_INTERNAL = "com.sun.org.apache";
+     private static final String STAX_INTERNAL = "com.sun.xml.internal";
 
     /** Set to true for debugging */
     private static final boolean DEBUG = false;
@@ -160,12 +160,8 @@
     public static Class<?> findProviderClass(String className, boolean doFallback)
         throws ClassNotFoundException, ConfigurationError
     {
-        if (System.getSecurityManager()!=null) {
-            return Class.forName(className);
-        } else {
-            return findProviderClass (className,
+        return findProviderClass (className,
                 findClassLoader (), doFallback);
-        }
     }
 
     /**
@@ -180,8 +176,8 @@
         SecurityManager security = System.getSecurityManager();
         try{
             if (security != null){
-                if (className.startsWith(XALAN_INTERNAL) ||
-                    className.startsWith(XERCES_INTERNAL)) {
+                if (className.startsWith(JAXP_INTERNAL) ||
+                    className.startsWith(STAX_INTERNAL)) {
                     cl = null;
                 } else {
                     final int lastDot = className.lastIndexOf(".");
@@ -196,16 +192,7 @@
 
         Class<?> providerClass;
         if (cl == null) {
-            // XXX Use the bootstrap ClassLoader.  There is no way to
-            // load a class using the bootstrap ClassLoader that works
-            // in both JDK 1.1 and Java 2.  However, this should still
-            // work b/c the following should be true:
-            //
-            // (cl == null) iff current ClassLoader == null
-            //
-            // Thus Class.forName(String) will use the current
-            // ClassLoader which will be the bootstrap ClassLoader.
-            providerClass = Class.forName(className);
+            providerClass = Class.forName(className, false, ObjectFactory.class.getClassLoader());
         } else {
             try {
                 providerClass = cl.loadClass(className);
--- a/jaxp/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityManager.java	Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityManager.java	Fri Jul 18 08:25:22 2014 -0700
@@ -76,7 +76,9 @@
         GENERAL_ENTITY_SIZE_LIMIT(XalanConstants.JDK_GENERAL_ENTITY_SIZE_LIMIT,
                 XalanConstants.SP_GENERAL_ENTITY_SIZE_LIMIT, 0, 0),
         PARAMETER_ENTITY_SIZE_LIMIT(XalanConstants.JDK_PARAMETER_ENTITY_SIZE_LIMIT,
-                XalanConstants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000);
+                XalanConstants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000),
+        MAX_ELEMENT_DEPTH_LIMIT(XalanConstants.JDK_MAX_ELEMENT_DEPTH,
+                XalanConstants.SP_MAX_ELEMENT_DEPTH, 0, 0);
 
         final String apiProperty;
         final String systemProperty;
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java	Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java	Fri Jul 18 08:25:22 2014 -0700
@@ -251,6 +251,13 @@
      */
     public static final String JDK_XML_NAME_LIMIT =
             ORACLE_JAXP_PROPERTY_PREFIX + "maxXMLNameLimit";
+
+    /**
+     * JDK maxElementDepth limit
+     */
+    public static final String JDK_MAX_ELEMENT_DEPTH =
+            ORACLE_JAXP_PROPERTY_PREFIX + "maxElementDepth";
+
     /**
      * JDK property to allow printing out information from the limit analyzer
      */
@@ -296,6 +303,11 @@
      */
     public static final String SP_XML_NAME_LIMIT = "jdk.xml.maxXMLNameLimit";
 
+    /**
+     * JDK maxElementDepth limit
+     */
+    public static final String SP_MAX_ELEMENT_DEPTH = "jdk.xml.maxElementDepth";
+
     //legacy System Properties
     public final static String ENTITY_EXPANSION_LIMIT = "entityExpansionLimit";
     public static final String ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ;
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java	Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java	Fri Jul 18 08:25:22 2014 -0700
@@ -1308,6 +1308,7 @@
 
         fAttributes.removeAllAttributes();
 
+        checkDepth(rawname);
         if(!seekCloseOfStartTag()){
             fReadingAttributes = true;
             fAttributeCacheUsedCount =0;
@@ -1912,6 +1913,21 @@
     // utility methods
 
     /**
+     * Check if the depth exceeds the maxElementDepth limit
+     * @param elementName name of the current element
+     */
+    void checkDepth(String elementName) {
+        fLimitAnalyzer.addValue(Limit.MAX_ELEMENT_DEPTH_LIMIT, elementName, fElementStack.fDepth);
+        if (fSecurityManager.isOverLimit(Limit.MAX_ELEMENT_DEPTH_LIMIT,fLimitAnalyzer)) {
+            fSecurityManager.debugPrint(fLimitAnalyzer);
+            reportFatalError("MaxElementDepthLimit", new Object[]{elementName,
+                fLimitAnalyzer.getTotalValue(Limit.MAX_ELEMENT_DEPTH_LIMIT),
+                fSecurityManager.getLimit(Limit.MAX_ELEMENT_DEPTH_LIMIT),
+                "maxElementDepth"});
+        }
+    }
+
+    /**
      * Calls document handler with a single character resulting from
      * built-in entity resolution.
      *
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLNSDocumentScannerImpl.java	Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLNSDocumentScannerImpl.java	Fri Jul 18 08:25:22 2014 -0700
@@ -219,6 +219,7 @@
         fCurrentElement = fElementQName;
 
         String rawname = fElementQName.rawname;
+        checkDepth(rawname);
         if (fBindNamespaces) {
             fNamespaceContext.pushContext();
             if (fScannerState == SCANNER_STATE_ROOT_ELEMENT) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties	Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties	Fri Jul 18 08:25:22 2014 -0700
@@ -299,4 +299,5 @@
         MaxEntitySizeLimit=JAXP00010003: The length of entity \"{0}\" is \"{1}\" that exceeds the \"{2}\" limit set by \"{3}\".
         TotalEntitySizeLimit=JAXP00010004: The accumulated size \"{0}\" of entities exceeded the \"{1}\" limit set by \"{2}\".
         MaxXMLNameLimit=JAXP00010005: The name \"{0}\" exceeded the \"{1}\" limit set by \"{2}\".
+        MaxElementDepthLimit=JAXP00010006: The element \"{0}\" has a depth of \"{1}\" that exceeds the limit \"{2}\" set by \"{3}\".
 
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java	Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java	Fri Jul 18 08:25:22 2014 -0700
@@ -452,7 +452,8 @@
     }
 
     private void propagateFeatures(AbstractXMLSchema schema) {
-        schema.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, fSecurityManager != null);
+        schema.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
+                (fSecurityManager != null && fSecurityManager.isSecureProcessing()));
         schema.setFeature(Constants.ORACLE_FEATURE_SERVICE_MECHANISM, fUseServicesMechanism);
         String[] features = fXMLSchemaLoader.getRecognizedFeatures();
         for (int i = 0; i < features.length; ++i) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/utils/ObjectFactory.java	Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/ObjectFactory.java	Fri Jul 18 08:25:22 2014 -0700
@@ -38,7 +38,8 @@
     //
     // Constants
     //
-    private static final String DEFAULT_INTERNAL_CLASSES = "com.sun.org.apache.";
+    private static final String JAXP_INTERNAL = "com.sun.org.apache";
+    private static final String STAX_INTERNAL = "com.sun.xml.internal";
 
     /** Set to true for debugging */
     private static final boolean DEBUG = isDebugEnabled();
@@ -174,12 +175,8 @@
     public static Class findProviderClass(String className, boolean doFallback)
         throws ClassNotFoundException, ConfigurationError
     {
-        if (System.getSecurityManager()!=null) {
-            return Class.forName(className);
-        } else {
-            return findProviderClass (className,
+        return findProviderClass (className,
                 findClassLoader (), doFallback);
-        }
     }
     /**
      * Find a Class using the specified ClassLoader
@@ -192,7 +189,8 @@
         //restrict the access to package as speicified in java.security policy
         SecurityManager security = System.getSecurityManager();
         if (security != null) {
-            if (className.startsWith(DEFAULT_INTERNAL_CLASSES)) {
+            if (className.startsWith(JAXP_INTERNAL) ||
+                    className.startsWith(STAX_INTERNAL)) {
                 cl = null;
             } else {
                 final int lastDot = className.lastIndexOf(".");
@@ -204,7 +202,7 @@
         Class providerClass;
         if (cl == null) {
             //use the bootstrap ClassLoader.
-            providerClass = Class.forName(className);
+            providerClass = Class.forName(className, false, ObjectFactory.class.getClassLoader());
         } else {
             try {
                 providerClass = cl.loadClass(className);
--- a/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLLimitAnalyzer.java	Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLLimitAnalyzer.java	Fri Jul 18 08:25:22 2014 -0700
@@ -132,6 +132,10 @@
             totalValue[index] += value;
             return;
         }
+        if (index == Limit.MAX_ELEMENT_DEPTH_LIMIT.ordinal()) {
+            totalValue[index] = value;
+            return;
+        }
 
         Map<String, Integer> cache;
         if (caches[index] == null) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java	Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java	Fri Jul 18 08:25:22 2014 -0700
@@ -66,7 +66,8 @@
         ELEMENT_ATTRIBUTE_LIMIT(Constants.JDK_ELEMENT_ATTRIBUTE_LIMIT, Constants.SP_ELEMENT_ATTRIBUTE_LIMIT, 0, 10000),
         TOTAL_ENTITY_SIZE_LIMIT(Constants.JDK_TOTAL_ENTITY_SIZE_LIMIT, Constants.SP_TOTAL_ENTITY_SIZE_LIMIT, 0, 50000000),
         GENERAL_ENTITY_SIZE_LIMIT(Constants.JDK_GENERAL_ENTITY_SIZE_LIMIT, Constants.SP_GENERAL_ENTITY_SIZE_LIMIT, 0, 0),
-        PARAMETER_ENTITY_SIZE_LIMIT(Constants.JDK_PARAMETER_ENTITY_SIZE_LIMIT, Constants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000);
+        PARAMETER_ENTITY_SIZE_LIMIT(Constants.JDK_PARAMETER_ENTITY_SIZE_LIMIT, Constants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000),
+        MAX_ELEMENT_DEPTH_LIMIT(Constants.JDK_MAX_ELEMENT_DEPTH, Constants.SP_MAX_ELEMENT_DEPTH, 0, 0);
 
         final String apiProperty;
         final String systemProperty;
@@ -429,9 +430,10 @@
             return false;
         }
 
-        if (index==Limit.ELEMENT_ATTRIBUTE_LIMIT.ordinal() ||
-                index==Limit.ENTITY_EXPANSION_LIMIT.ordinal() ||
-                index==Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()) {
+        if (index == Limit.ELEMENT_ATTRIBUTE_LIMIT.ordinal() ||
+                index == Limit.ENTITY_EXPANSION_LIMIT.ordinal() ||
+                index == Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal() ||
+                index == Limit.MAX_ELEMENT_DEPTH_LIMIT.ordinal()) {
             return (limitAnalyzer.getTotalValue(index) > values[index]);
         } else {
             return (limitAnalyzer.getValue(index) > values[index]);