--- a/jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java Fri Jul 18 08:25:22 2014 -0700
@@ -90,6 +90,13 @@
*/
public static final String JDK_XML_NAME_LIMIT =
ORACLE_JAXP_PROPERTY_PREFIX + "maxXMLNameLimit";
+
+ /**
+ * JDK maxElementDepth limit
+ */
+ public static final String JDK_MAX_ELEMENT_DEPTH =
+ ORACLE_JAXP_PROPERTY_PREFIX + "maxElementDepth";
+
/**
* JDK property indicating whether the parser shall print out entity
* count information
@@ -138,6 +145,11 @@
*/
public static final String SP_XML_NAME_LIMIT = "jdk.xml.maxXMLNameLimit";
+ /**
+ * JDK maxElementDepth limit
+ */
+ public static final String SP_MAX_ELEMENT_DEPTH = "jdk.xml.maxElementDepth";
+
//legacy System Properties
public final static String ENTITY_EXPANSION_LIMIT = "entityExpansionLimit";
public static final String ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ;
--- a/jaxp/src/com/sun/org/apache/xalan/internal/utils/ObjectFactory.java Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/utils/ObjectFactory.java Fri Jul 18 08:25:22 2014 -0700
@@ -38,8 +38,8 @@
//
// Constants
//
- private static final String XALAN_INTERNAL = "com.sun.org.apache.xalan.internal";
- private static final String XERCES_INTERNAL = "com.sun.org.apache.xerces.internal";
+ private static final String JAXP_INTERNAL = "com.sun.org.apache";
+ private static final String STAX_INTERNAL = "com.sun.xml.internal";
/** Set to true for debugging */
private static final boolean DEBUG = false;
@@ -160,12 +160,8 @@
public static Class<?> findProviderClass(String className, boolean doFallback)
throws ClassNotFoundException, ConfigurationError
{
- if (System.getSecurityManager()!=null) {
- return Class.forName(className);
- } else {
- return findProviderClass (className,
+ return findProviderClass (className,
findClassLoader (), doFallback);
- }
}
/**
@@ -180,8 +176,8 @@
SecurityManager security = System.getSecurityManager();
try{
if (security != null){
- if (className.startsWith(XALAN_INTERNAL) ||
- className.startsWith(XERCES_INTERNAL)) {
+ if (className.startsWith(JAXP_INTERNAL) ||
+ className.startsWith(STAX_INTERNAL)) {
cl = null;
} else {
final int lastDot = className.lastIndexOf(".");
@@ -196,16 +192,7 @@
Class<?> providerClass;
if (cl == null) {
- // XXX Use the bootstrap ClassLoader. There is no way to
- // load a class using the bootstrap ClassLoader that works
- // in both JDK 1.1 and Java 2. However, this should still
- // work b/c the following should be true:
- //
- // (cl == null) iff current ClassLoader == null
- //
- // Thus Class.forName(String) will use the current
- // ClassLoader which will be the bootstrap ClassLoader.
- providerClass = Class.forName(className);
+ providerClass = Class.forName(className, false, ObjectFactory.class.getClassLoader());
} else {
try {
providerClass = cl.loadClass(className);
--- a/jaxp/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityManager.java Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityManager.java Fri Jul 18 08:25:22 2014 -0700
@@ -76,7 +76,9 @@
GENERAL_ENTITY_SIZE_LIMIT(XalanConstants.JDK_GENERAL_ENTITY_SIZE_LIMIT,
XalanConstants.SP_GENERAL_ENTITY_SIZE_LIMIT, 0, 0),
PARAMETER_ENTITY_SIZE_LIMIT(XalanConstants.JDK_PARAMETER_ENTITY_SIZE_LIMIT,
- XalanConstants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000);
+ XalanConstants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000),
+ MAX_ELEMENT_DEPTH_LIMIT(XalanConstants.JDK_MAX_ELEMENT_DEPTH,
+ XalanConstants.SP_MAX_ELEMENT_DEPTH, 0, 0);
final String apiProperty;
final String systemProperty;
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java Fri Jul 18 08:25:22 2014 -0700
@@ -251,6 +251,13 @@
*/
public static final String JDK_XML_NAME_LIMIT =
ORACLE_JAXP_PROPERTY_PREFIX + "maxXMLNameLimit";
+
+ /**
+ * JDK maxElementDepth limit
+ */
+ public static final String JDK_MAX_ELEMENT_DEPTH =
+ ORACLE_JAXP_PROPERTY_PREFIX + "maxElementDepth";
+
/**
* JDK property to allow printing out information from the limit analyzer
*/
@@ -296,6 +303,11 @@
*/
public static final String SP_XML_NAME_LIMIT = "jdk.xml.maxXMLNameLimit";
+ /**
+ * JDK maxElementDepth limit
+ */
+ public static final String SP_MAX_ELEMENT_DEPTH = "jdk.xml.maxElementDepth";
+
//legacy System Properties
public final static String ENTITY_EXPANSION_LIMIT = "entityExpansionLimit";
public static final String ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ;
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Fri Jul 18 08:25:22 2014 -0700
@@ -1308,6 +1308,7 @@
fAttributes.removeAllAttributes();
+ checkDepth(rawname);
if(!seekCloseOfStartTag()){
fReadingAttributes = true;
fAttributeCacheUsedCount =0;
@@ -1912,6 +1913,21 @@
// utility methods
/**
+ * Check if the depth exceeds the maxElementDepth limit
+ * @param elementName name of the current element
+ */
+ void checkDepth(String elementName) {
+ fLimitAnalyzer.addValue(Limit.MAX_ELEMENT_DEPTH_LIMIT, elementName, fElementStack.fDepth);
+ if (fSecurityManager.isOverLimit(Limit.MAX_ELEMENT_DEPTH_LIMIT,fLimitAnalyzer)) {
+ fSecurityManager.debugPrint(fLimitAnalyzer);
+ reportFatalError("MaxElementDepthLimit", new Object[]{elementName,
+ fLimitAnalyzer.getTotalValue(Limit.MAX_ELEMENT_DEPTH_LIMIT),
+ fSecurityManager.getLimit(Limit.MAX_ELEMENT_DEPTH_LIMIT),
+ "maxElementDepth"});
+ }
+ }
+
+ /**
* Calls document handler with a single character resulting from
* built-in entity resolution.
*
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLNSDocumentScannerImpl.java Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLNSDocumentScannerImpl.java Fri Jul 18 08:25:22 2014 -0700
@@ -219,6 +219,7 @@
fCurrentElement = fElementQName;
String rawname = fElementQName.rawname;
+ checkDepth(rawname);
if (fBindNamespaces) {
fNamespaceContext.pushContext();
if (fScannerState == SCANNER_STATE_ROOT_ELEMENT) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties Fri Jul 18 08:25:22 2014 -0700
@@ -299,4 +299,5 @@
MaxEntitySizeLimit=JAXP00010003: The length of entity \"{0}\" is \"{1}\" that exceeds the \"{2}\" limit set by \"{3}\".
TotalEntitySizeLimit=JAXP00010004: The accumulated size \"{0}\" of entities exceeded the \"{1}\" limit set by \"{2}\".
MaxXMLNameLimit=JAXP00010005: The name \"{0}\" exceeded the \"{1}\" limit set by \"{2}\".
+ MaxElementDepthLimit=JAXP00010006: The element \"{0}\" has a depth of \"{1}\" that exceeds the limit \"{2}\" set by \"{3}\".
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Fri Jul 18 08:25:22 2014 -0700
@@ -452,7 +452,8 @@
}
private void propagateFeatures(AbstractXMLSchema schema) {
- schema.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, fSecurityManager != null);
+ schema.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
+ (fSecurityManager != null && fSecurityManager.isSecureProcessing()));
schema.setFeature(Constants.ORACLE_FEATURE_SERVICE_MECHANISM, fUseServicesMechanism);
String[] features = fXMLSchemaLoader.getRecognizedFeatures();
for (int i = 0; i < features.length; ++i) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/utils/ObjectFactory.java Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/ObjectFactory.java Fri Jul 18 08:25:22 2014 -0700
@@ -38,7 +38,8 @@
//
// Constants
//
- private static final String DEFAULT_INTERNAL_CLASSES = "com.sun.org.apache.";
+ private static final String JAXP_INTERNAL = "com.sun.org.apache";
+ private static final String STAX_INTERNAL = "com.sun.xml.internal";
/** Set to true for debugging */
private static final boolean DEBUG = isDebugEnabled();
@@ -174,12 +175,8 @@
public static Class findProviderClass(String className, boolean doFallback)
throws ClassNotFoundException, ConfigurationError
{
- if (System.getSecurityManager()!=null) {
- return Class.forName(className);
- } else {
- return findProviderClass (className,
+ return findProviderClass (className,
findClassLoader (), doFallback);
- }
}
/**
* Find a Class using the specified ClassLoader
@@ -192,7 +189,8 @@
//restrict the access to package as speicified in java.security policy
SecurityManager security = System.getSecurityManager();
if (security != null) {
- if (className.startsWith(DEFAULT_INTERNAL_CLASSES)) {
+ if (className.startsWith(JAXP_INTERNAL) ||
+ className.startsWith(STAX_INTERNAL)) {
cl = null;
} else {
final int lastDot = className.lastIndexOf(".");
@@ -204,7 +202,7 @@
Class providerClass;
if (cl == null) {
//use the bootstrap ClassLoader.
- providerClass = Class.forName(className);
+ providerClass = Class.forName(className, false, ObjectFactory.class.getClassLoader());
} else {
try {
providerClass = cl.loadClass(className);
--- a/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLLimitAnalyzer.java Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLLimitAnalyzer.java Fri Jul 18 08:25:22 2014 -0700
@@ -132,6 +132,10 @@
totalValue[index] += value;
return;
}
+ if (index == Limit.MAX_ELEMENT_DEPTH_LIMIT.ordinal()) {
+ totalValue[index] = value;
+ return;
+ }
Map<String, Integer> cache;
if (caches[index] == null) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java Thu Jul 17 09:50:28 2014 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java Fri Jul 18 08:25:22 2014 -0700
@@ -66,7 +66,8 @@
ELEMENT_ATTRIBUTE_LIMIT(Constants.JDK_ELEMENT_ATTRIBUTE_LIMIT, Constants.SP_ELEMENT_ATTRIBUTE_LIMIT, 0, 10000),
TOTAL_ENTITY_SIZE_LIMIT(Constants.JDK_TOTAL_ENTITY_SIZE_LIMIT, Constants.SP_TOTAL_ENTITY_SIZE_LIMIT, 0, 50000000),
GENERAL_ENTITY_SIZE_LIMIT(Constants.JDK_GENERAL_ENTITY_SIZE_LIMIT, Constants.SP_GENERAL_ENTITY_SIZE_LIMIT, 0, 0),
- PARAMETER_ENTITY_SIZE_LIMIT(Constants.JDK_PARAMETER_ENTITY_SIZE_LIMIT, Constants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000);
+ PARAMETER_ENTITY_SIZE_LIMIT(Constants.JDK_PARAMETER_ENTITY_SIZE_LIMIT, Constants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000),
+ MAX_ELEMENT_DEPTH_LIMIT(Constants.JDK_MAX_ELEMENT_DEPTH, Constants.SP_MAX_ELEMENT_DEPTH, 0, 0);
final String apiProperty;
final String systemProperty;
@@ -429,9 +430,10 @@
return false;
}
- if (index==Limit.ELEMENT_ATTRIBUTE_LIMIT.ordinal() ||
- index==Limit.ENTITY_EXPANSION_LIMIT.ordinal() ||
- index==Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()) {
+ if (index == Limit.ELEMENT_ATTRIBUTE_LIMIT.ordinal() ||
+ index == Limit.ENTITY_EXPANSION_LIMIT.ordinal() ||
+ index == Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal() ||
+ index == Limit.MAX_ELEMENT_DEPTH_LIMIT.ordinal()) {
return (limitAnalyzer.getTotalValue(index) > values[index]);
} else {
return (limitAnalyzer.getValue(index) > values[index]);