--- old/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Wed May 8 13:35:35 2013 +++ new/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Wed May 8 13:35:35 2013 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2006, 2013 Oracle and/or its affiliates. All rights reserved. */ /* @@ -20,53 +20,39 @@ package com.sun.org.apache.xerces.internal.impl ; +import com.sun.org.apache.xerces.internal.impl.Constants; +import com.sun.org.apache.xerces.internal.impl.io.ASCIIReader; +import com.sun.org.apache.xerces.internal.impl.io.UCSReader; +import com.sun.org.apache.xerces.internal.impl.io.UTF8Reader; +import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter; +import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler; +import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager; +import com.sun.org.apache.xerces.internal.util.*; +import com.sun.org.apache.xerces.internal.util.SecurityManager; +import com.sun.org.apache.xerces.internal.util.URI; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.xni.Augmentations; +import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier; +import com.sun.org.apache.xerces.internal.xni.XNIException; +import com.sun.org.apache.xerces.internal.xni.parser.*; +import com.sun.xml.internal.stream.Entity; import com.sun.xml.internal.stream.StaxEntityResolverWrapper; import com.sun.xml.internal.stream.StaxXMLInputSource; import com.sun.xml.internal.stream.XMLEntityStorage; import java.io.*; -import java.io.BufferedReader; -import java.util.*; - -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.io.Reader; -import java.io.StringReader; import java.lang.reflect.Method; import java.net.HttpURLConnection; +import java.net.URISyntaxException; import java.net.URL; import java.net.URLConnection; -import java.net.URISyntaxException; import java.util.Hashtable; import java.util.Iterator; import java.util.Locale; import java.util.Map; import java.util.Stack; +import javax.xml.XMLConstants; -import com.sun.org.apache.xerces.internal.impl.io.*; -import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter; -import com.sun.org.apache.xerces.internal.util.*; -import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier; -import com.sun.org.apache.xerces.internal.xni.XNIException; -import com.sun.org.apache.xerces.internal.xni.parser.*; -import com.sun.org.apache.xerces.internal.impl.Constants; -import com.sun.org.apache.xerces.internal.utils.SecuritySupport; -import com.sun.xml.internal.stream.Entity; -import com.sun.org.apache.xerces.internal.xni.Augmentations; - -import com.sun.org.apache.xerces.internal.impl.io.UTF8Reader; -import com.sun.org.apache.xerces.internal.impl.io.ASCIIReader; -import com.sun.org.apache.xerces.internal.impl.io.UCSReader; -import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler; -import com.sun.org.apache.xerces.internal.util.HTTPInputSource; -import com.sun.org.apache.xerces.internal.xinclude.XIncludeHandler; - -import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager; -import com.sun.org.apache.xerces.internal.util.SecurityManager; -import com.sun.org.apache.xerces.internal.util.URI; - - /** * Will keep track of current entity. * @@ -140,6 +126,10 @@ protected static final String WARN_ON_DUPLICATE_ENTITYDEF = Constants.XERCES_FEATURE_PREFIX +Constants.WARN_ON_DUPLICATE_ENTITYDEF_FEATURE; + /** Feature identifier: load external DTD. */ + protected static final String LOAD_EXTERNAL_DTD = + Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE; + // property identifiers /** Property identifier: symbol table. */ @@ -173,8 +163,16 @@ protected static final String SECURITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; -protected static final String PARSER_SETTINGS = + protected static final String PARSER_SETTINGS = Constants.XERCES_FEATURE_PREFIX + Constants.PARSER_SETTINGS; + + /** property identifier: access external dtd. */ + protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** access external dtd: file protocol */ + static final String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT; + + // recognized features and properties /** Recognized features. */ @@ -205,7 +203,7 @@ VALIDATION_MANAGER, BUFFER_SIZE, SECURITY_MANAGER, - + ACCESS_EXTERNAL_DTD }; /** Property defaults. */ @@ -215,7 +213,8 @@ null, null, new Integer(DEFAULT_BUFFER_SIZE), - null + null, + EXTERNAL_ACCESS_DEFAULT }; private static final String XMLEntity = "[xml]".intern(); @@ -274,6 +273,8 @@ */ protected boolean fAllowJavaEncodings = true ; + /** Load external DTD. */ + protected boolean fLoadExternalDTD = true; // properties @@ -302,7 +303,8 @@ /** Property Manager. This is used from Stax */ protected PropertyManager fPropertyManager ; - + /** used to restrict external access */ + protected String fAccessExternalDTD = EXTERNAL_ACCESS_DEFAULT; // settings /** @@ -366,6 +368,9 @@ /** Current entity. */ protected Entity.ScannedEntity fCurrentEntity = null; + /** identify if the InputSource is created by a resolver */ + boolean fISCreatedByResolver = false; + // shared context protected XMLEntityStorage fEntityStorage ; @@ -965,18 +970,25 @@ System.out.println("BEFORE Calling resolveEntity") ; } + fISCreatedByResolver = false; //either of Stax or Xerces would be null if(fStaxEntityResolver != null){ staxInputSource = fStaxEntityResolver.resolveEntity(ri); + if(staxInputSource != null) { + fISCreatedByResolver = true; + } } if(fEntityResolver != null){ xmlInputSource = fEntityResolver.resolveEntity(ri); + if(xmlInputSource != null) { + fISCreatedByResolver = true; + } } if(xmlInputSource != null){ //wrap this XMLInputSource to StaxInputSource - staxInputSource = new StaxXMLInputSource(xmlInputSource); + staxInputSource = new StaxXMLInputSource(xmlInputSource, fISCreatedByResolver); } // do default resolution @@ -1108,7 +1120,13 @@ // should we skip external entities? boolean external = entity.isExternal(); + Entity.ExternalEntity externalEntity = null; + String extLitSysId = null, extBaseSysId = null, expandedSystemId = null; if (external) { + externalEntity = (Entity.ExternalEntity)entity; + extLitSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getLiteralSystemId() : null); + extBaseSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getBaseSystemId() : null); + expandedSystemId = expandSystemId(extLitSysId, extBaseSysId); boolean unparsed = entity.isUnparsed(); boolean parameter = entityName.startsWith("%"); boolean general = !parameter; @@ -1118,13 +1136,6 @@ if (fEntityHandler != null) { fResourceIdentifier.clear(); final String encoding = null; - Entity.ExternalEntity externalEntity = (Entity.ExternalEntity)entity; - //REVISIT: since we're storing expandedSystemId in the - // externalEntity, how could this have got here if it wasn't already - // expanded??? - neilg - String extLitSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getLiteralSystemId() : null); - String extBaseSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getBaseSystemId() : null); - String expandedSystemId = expandSystemId(extLitSysId, extBaseSysId); fResourceIdentifier.setValues( (externalEntity.entityLocation != null ? externalEntity.entityLocation.getPublicId() : null), extLitSysId, extBaseSysId, expandedSystemId); @@ -1162,11 +1173,6 @@ fResourceIdentifier.clear(); final String encoding = null; if (external) { - Entity.ExternalEntity externalEntity = (Entity.ExternalEntity)entity; - // REVISIT: for the same reason above... - String extLitSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getLiteralSystemId() : null); - String extBaseSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getBaseSystemId() : null); - String expandedSystemId = expandSystemId(extLitSysId, extBaseSysId); fResourceIdentifier.setValues( (externalEntity.entityLocation != null ? externalEntity.entityLocation.getPublicId() : null), extLitSysId, extBaseSysId, expandedSystemId); @@ -1188,7 +1194,6 @@ XMLInputSource xmlInputSource = null ; if (external) { - Entity.ExternalEntity externalEntity = (Entity.ExternalEntity)entity; staxInputSource = resolveEntityAsPerStax(externalEntity.entityLocation); /** xxx: Waiting from the EG * //simply return if there was entity resolver registered and application @@ -1196,6 +1201,18 @@ * if(staxInputSource.hasXMLStreamOrXMLEventReader()) return ; */ xmlInputSource = staxInputSource.getXMLInputSource() ; + if (!fISCreatedByResolver) { + //let the not-LoadExternalDTD or not-SupportDTD process to handle the situation + if (fLoadExternalDTD) { + String accessError = SecuritySupport.checkAccess(expandedSystemId, fAccessExternalDTD, Constants.ACCESS_EXTERNAL_ALL); + if (accessError != null) { + fErrorReporter.reportError(this.getEntityScanner(),XMLMessageFormatter.XML_DOMAIN, + "AccessExternalEntity", + new Object[] { SecuritySupport.sanitizePath(expandedSystemId), accessError }, + XMLErrorReporter.SEVERITY_FATAL_ERROR); + } + } + } } // wrap internal entity else { @@ -1400,6 +1417,12 @@ fStaxEntityResolver = null; } + // Zephyr feature ignore-external-dtd is the opposite of Xerces' load-external-dtd + fLoadExternalDTD = !((Boolean)propertyManager.getProperty(Constants.ZEPHYR_PROPERTY_PREFIX + Constants.IGNORE_EXTERNAL_DTD)).booleanValue(); + + // JAXP 1.5 feature + fAccessExternalDTD = (String) propertyManager.getProperty(ACCESS_EXTERNAL_DTD); + // initialize state //fStandalone = false; fEntities.clear(); @@ -1409,8 +1432,6 @@ fExternalGeneralEntities = true; fExternalParameterEntities = true; fAllowJavaEncodings = true ; - - //test(); } /** @@ -1453,6 +1474,7 @@ fAllowJavaEncodings = componentManager.getFeature(ALLOW_JAVA_ENCODINGS, false); fWarnDuplicateEntityDef = componentManager.getFeature(WARN_ON_DUPLICATE_ENTITYDEF, false); fStrictURI = componentManager.getFeature(STANDARD_URI_CONFORMANT, false); + fLoadExternalDTD = componentManager.getFeature(LOAD_EXTERNAL_DTD, true); // xerces properties fSymbolTable = (SymbolTable)componentManager.getProperty(SYMBOL_TABLE); @@ -1462,6 +1484,9 @@ fValidationManager = (ValidationManager)componentManager.getProperty(VALIDATION_MANAGER, null); fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER, null); + // JAXP 1.5 feature + fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT); + //reset general state reset(); @@ -1554,6 +1579,11 @@ featureId.endsWith(Constants.ALLOW_JAVA_ENCODINGS_FEATURE)) { fAllowJavaEncodings = state; } + if (suffixLength == Constants.LOAD_EXTERNAL_DTD_FEATURE.length() && + featureId.endsWith(Constants.LOAD_EXTERNAL_DTD_FEATURE)) { + fLoadExternalDTD = state; + return; + } } } // setFeature(String,boolean) @@ -1610,7 +1640,15 @@ } } + //JAXP 1.5 properties + if (propertyId.startsWith(Constants.JAXPAPI_PROPERTY_PREFIX)) { + if (propertyId.equals(ACCESS_EXTERNAL_DTD)) + { + fAccessExternalDTD = (String)value; + } + } } + /** * Returns a list of property identifiers that are recognized by * this component. This method may return null if no properties