jaxp Udiff src/com/sun/org/apache/xerces/internal/impl/Constants.java

src/com/sun/org/apache/xerces/internal/impl/Constants.java

@@ -18,10 +18,11 @@
  * limitations under the License.
  */
 
 package com.sun.org.apache.xerces.internal.impl;
 
+import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
 import java.util.Enumeration;
 import java.util.NoSuchElementException;
 
 /**
  * Commonly used constants.

@@ -136,10 +137,25 @@
     /** XML string property ("xml-string"). */
     public static final String XML_STRING_PROPERTY = "xml-string";
 
     public static final String FEATURE_SECURE_PROCESSING = "http://javax.xml.XMLConstants/feature/secure-processing";
 
+    // Oracle Feature:
+    /**
+     * <p>Use Service Mechanism</p>
+     *
+     * <ul>
+     *   <li>
+     * {@code true} instruct an object to use service mechanism to
+     * find a service implementation. This is the default behavior. 
+     *   </li>
+     *   <li>
+     * {@code false} instruct an object to skip service mechanism and
+     * use the default implementation for that service. 
+     *   </li>
+     * </ul>
+     */
     public static final String ORACLE_FEATURE_SERVICE_MECHANISM = "http://www.oracle.com/feature/use-service-mechanism";
 
     /** Document XML version property ("document-xml-version"). */
     public static final String DOCUMENT_XML_VERSION_PROPERTY = "document-xml-version";

@@ -158,10 +174,38 @@
     /** JAXP schemaSource language: when used internally may include DTD namespace (DOM) */
     public static final String SCHEMA_LANGUAGE = "schemaLanguage";
 
     public static final String SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ;
 
+    /** JAXP Standard property prefix ("http://javax.xml.XMLConstants/property/"). */
+    public static final String JAXPAPI_PROPERTY_PREFIX =
+        "http://javax.xml.XMLConstants/property/";
+
+    /** Oracle JAXP property prefix ("http://www.oracle.com/xml/jaxp/properties/"). */
+    public static final String ORACLE_JAXP_PROPERTY_PREFIX =
+        "http://www.oracle.com/xml/jaxp/properties/";
+
+    //System Properties corresponding to ACCESS_EXTERNAL_* properties
+    public static final String SP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD";
+    public static final String SP_ACCESS_EXTERNAL_SCHEMA = "javax.xml.accessExternalSchema";
+    //all access keyword
+    public static final String ACCESS_EXTERNAL_ALL = "all";  
+
+    /**
+     * Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true 
+     */
+    public static final String EXTERNAL_ACCESS_DEFAULT_FSP = "";    
+    /**
+     * JDK version by which the default is to restrict external connection
+     */
+    public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8; 
+        
+    /**
+     * FEATURE_SECURE_PROCESSING (FSP) is true by default
+     */
+    public static final String EXTERNAL_ACCESS_DEFAULT = getExternalAccessDefault(true);
+
     //
     // DOM features
     //
 
     /** Comments feature ("include-comments"). */

@@ -651,10 +695,63 @@
     public static Enumeration getXercesProperties() {
         return fgXercesProperties.length > 0
         ? new ArrayEnumeration(fgXercesProperties) : fgEmptyEnumeration;
     } // getXercesProperties():Enumeration
 
+    /**
+     * Determine the default value of the external access properties
+     * 
+     * jaxp 1.5 does not require implementations to restrict by default
+     * 
+     * For JDK8:
+     * The default value is 'file' (including jar:file); The keyword "all" grants permission
+     * to all protocols. When {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is on,
+     * the default value is an empty string indicating no access is allowed.    
+     * 
+     * For JDK7:
+     * The default value is 'all' granting permission to all protocols. If by default, 
+     * {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is true, it should
+     * not change the default value. However, if {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING}
+     * is set explicitly, the values of the properties shall be set to an empty string 
+     * indicating no access is allowed.    
+     * 
+     * @param isSecureProcessing indicating if Secure Processing is set
+     * @return default value
+     */
+    public static String getExternalAccessDefault(boolean isSecureProcessing) {
+        String defaultValue = "all";
+        if (isJDKandAbove(RESTRICT_BY_DEFAULT_JDK_VERSION)) {
+            defaultValue = "file";
+            if (isSecureProcessing) {
+                defaultValue = EXTERNAL_ACCESS_DEFAULT_FSP;
+            }
+        }
+        return defaultValue;
+    }
+    
+    /*
+     * Check the version of the current JDK against that specified in the
+     * parameter
+     * 
+     * There is a proposal to change the java version string to:
+     * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL
+     * This method would work with both the current format and that proposed
+     * 
+     * @param compareTo a JDK version to be compared to
+     * @return true if the current version is the same or above that represented
+     * by the parameter
+     */
+    public static boolean isJDKandAbove(int compareTo) {
+        String javaVersion = SecuritySupport.getSystemProperty("java.version");
+        String versions[] = javaVersion.split("\\.", 3);
+        if (Integer.parseInt(versions[0]) >= compareTo ||
+            Integer.parseInt(versions[1]) >= compareTo) {
+            return true;
+        }
+        return false;
+    } 
+
     //
     // Classes
     //
 
     /**