--- old/src/com/sun/org/apache/xalan/internal/XalanConstants.java Mon Jul 8 17:47:51 2013 +++ new/src/com/sun/org/apache/xalan/internal/XalanConstants.java Mon Jul 8 17:47:49 2013 @@ -73,13 +73,39 @@ * Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true */ public static final String EXTERNAL_ACCESS_DEFAULT_FSP = ""; + /** - * JDK version by which the default is to restrict external connection - */ - public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8; - /** * FEATURE_SECURE_PROCESSING (FSP) is false by default */ public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL; + public static final String XML_SECURITY_PROPERTY_MANAGER = + ORACLE_JAXP_PROPERTY_PREFIX + "xmlSecurityPropertyManager"; + + /** + * Check if we're in jdk8 or above + */ + public static final boolean IS_JDK8_OR_ABOVE = isJavaVersionAtLeast(8); + + /* + * Check the version of the current JDK against that specified in the + * parameter + * + * There is a proposal to change the java version string to: + * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL + * This method would work with both the current format and that proposed + * + * @param compareTo a JDK version to be compared to + * @return true if the current version is the same or above that represented + * by the parameter + */ + public static boolean isJavaVersionAtLeast(int compareTo) { + String javaVersion = SecuritySupport.getSystemProperty("java.version"); + String versions[] = javaVersion.split("\\.", 3); + if (Integer.parseInt(versions[0]) >= compareTo || + Integer.parseInt(versions[1]) >= compareTo) { + return true; + } + return false; + } } // class Constants --- old/src/com/sun/org/apache/xalan/internal/utils/SecuritySupport.java Mon Jul 8 17:48:01 2013 +++ new/src/com/sun/org/apache/xalan/internal/utils/SecuritySupport.java Mon Jul 8 17:47:59 2013 @@ -229,7 +229,8 @@ * @return the name of the protocol if rejected, null otherwise */ public static String checkAccess(String systemId, String allowedProtocols, String accessAny) throws IOException { - if (systemId == null || allowedProtocols.equalsIgnoreCase(accessAny)) { + if (systemId == null || (allowedProtocols != null && + allowedProtocols.equalsIgnoreCase(accessAny))) { return null; } @@ -262,6 +263,9 @@ * @return true if the protocol is in the list */ private static boolean isProtocolAllowed(String protocol, String allowedProtocols) { + if (allowedProtocols == null) { + return false; + } String temp[] = allowedProtocols.split(","); for (String t : temp) { t = t.trim(); @@ -273,18 +277,16 @@ } /** - * Read from $java.home/lib/jaxp.properties for the specified property + * Read JAXP system property in this order: system property, + * $java.home/lib/jaxp.properties if the system property is not specified * * @param propertyId the Id of the property * @return the value of the property */ - public static String getDefaultAccessProperty(String sysPropertyId, String defaultVal) { - String accessExternal = SecuritySupport.getSystemProperty(sysPropertyId); + public static String getJAXPSystemProperty(String sysPropertyId) { + String accessExternal = getSystemProperty(sysPropertyId); if (accessExternal == null) { accessExternal = readJAXPProperty(sysPropertyId); - if (accessExternal == null) { - accessExternal = defaultVal; - } } return accessExternal; } --- old/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Mon Jul 8 17:48:08 2013 +++ new/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Mon Jul 8 17:48:07 2013 @@ -27,6 +27,9 @@ import com.sun.org.apache.xalan.internal.utils.FactoryImpl; import com.sun.org.apache.xalan.internal.utils.ObjectFactory; import com.sun.org.apache.xalan.internal.utils.SecuritySupport; +import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager; +import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.Property; +import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.State; import com.sun.org.apache.xalan.internal.xsltc.compiler.Constants; import com.sun.org.apache.xalan.internal.xsltc.compiler.SourceLoader; import com.sun.org.apache.xalan.internal.xsltc.compiler.XSLTC; @@ -215,12 +218,14 @@ * protocols allowed for external references set by the stylesheet processing instruction, Import and Include element. */ private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT; + /** * protocols allowed for external DTD references in source file and/or stylesheet. */ private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT; - + private XMLSecurityPropertyManager _xmlSecurityPropertyMgr; + /** * javax.xml.transform.sax.TransformerFactory implementation. */ @@ -235,15 +240,16 @@ private TransformerFactoryImpl(boolean useServicesMechanism) { this._useServicesMechanism = useServicesMechanism; - String defaultAccess = XalanConstants.EXTERNAL_ACCESS_DEFAULT; if (System.getSecurityManager() != null) { _isSecureMode = true; _isNotSecureProcessing = false; } - _accessExternalStylesheet = SecuritySupport.getDefaultAccessProperty( - XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET, defaultAccess); - _accessExternalDTD = SecuritySupport.getDefaultAccessProperty( - XalanConstants.SP_ACCESS_EXTERNAL_DTD, defaultAccess); + + _xmlSecurityPropertyMgr = new XMLSecurityPropertyManager(); + _accessExternalDTD = _xmlSecurityPropertyMgr.getValue( + Property.ACCESS_EXTERNAL_DTD); + _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue( + Property.ACCESS_EXTERNAL_STYLESHEET); } /** @@ -306,12 +312,11 @@ else return Boolean.FALSE; } - else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) { - return _accessExternalStylesheet; + + int index = _xmlSecurityPropertyMgr.getIndex(name); + if (index > -1) { + return _xmlSecurityPropertyMgr.getValueByIndex(index); } - else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) { - return _accessExternalDTD; - } // Throw an exception for all other attributes ErrorMsg err = new ErrorMsg(ErrorMsg.JAXP_INVALID_ATTR_ERR, name); @@ -413,14 +418,17 @@ return; } } - else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) { - _accessExternalStylesheet = (String)value; + + int index = _xmlSecurityPropertyMgr.getIndex(name); + if (index > -1) { + _xmlSecurityPropertyMgr.setValue(index, + State.APIPROPERTY, (String)value); + _accessExternalDTD = _xmlSecurityPropertyMgr.getValue( + Property.ACCESS_EXTERNAL_DTD); + _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue( + Property.ACCESS_EXTERNAL_STYLESHEET); return; } - else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) { - _accessExternalDTD = (String)value; - return; - } // Throw an exception for all other attributes final ErrorMsg err @@ -466,11 +474,18 @@ } _isNotSecureProcessing = !value; - // set restriction, allowing no access to external stylesheet - if (value) { - _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP; - _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP; + // set external access restriction when FSP is explicitly set + if (value && XalanConstants.IS_JDK8_OR_ABOVE) { + _xmlSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_DTD, + State.FSP, XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP); + _xmlSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_STYLESHEET, + State.FSP, XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP); + _accessExternalDTD = _xmlSecurityPropertyMgr.getValue( + Property.ACCESS_EXTERNAL_DTD); + _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue( + Property.ACCESS_EXTERNAL_STYLESHEET); } + return; } else if (name.equals(XalanConstants.ORACLE_FEATURE_SERVICE_MECHANISM)) { --- old/src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java Mon Jul 8 17:48:18 2013 +++ new/src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java Mon Jul 8 17:48:14 2013 @@ -33,7 +33,7 @@ import com.sun.org.apache.xerces.internal.util.PropertyState; import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.utils.ObjectFactory; -import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler; import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler; import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler; @@ -156,14 +156,10 @@ protected static final String SCHEMA_DV_FACTORY = Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY; - /** Property identifier: access to external dtd */ - protected static final String ACCESS_EXTERNAL_DTD = - XMLConstants.ACCESS_EXTERNAL_DTD; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; - /** Property identifier: access to external schema */ - protected static final String ACCESS_EXTERNAL_SCHEMA = - XMLConstants.ACCESS_EXTERNAL_SCHEMA; - // // Data // @@ -283,8 +279,7 @@ JAXP_SCHEMA_LANGUAGE, DTD_VALIDATOR_FACTORY_PROPERTY, SCHEMA_DV_FACTORY, - ACCESS_EXTERNAL_DTD, - ACCESS_EXTERNAL_SCHEMA + XML_SECURITY_PROPERTY_MANAGER }; addRecognizedProperties(recognizedProperties); @@ -318,15 +313,9 @@ fValidationManager = createValidationManager(); setProperty(VALIDATION_MANAGER, fValidationManager); - //For DOM, the secure feature is set to true by default - String accessExternal = SecuritySupport.getDefaultAccessProperty( - Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT); - setProperty(ACCESS_EXTERNAL_DTD, accessExternal); + setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, + new XMLSecurityPropertyManager()); - accessExternal = SecuritySupport.getDefaultAccessProperty( - Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT); - setProperty(ACCESS_EXTERNAL_SCHEMA, accessExternal); - // add message formatters if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) { XMLMessageFormatter xmft = new XMLMessageFormatter(); --- old/src/com/sun/org/apache/xerces/internal/impl/Constants.java Mon Jul 8 17:48:23 2013 +++ new/src/com/sun/org/apache/xerces/internal/impl/Constants.java Mon Jul 8 17:48:22 2013 @@ -184,6 +184,9 @@ public static final String ORACLE_JAXP_PROPERTY_PREFIX = "http://www.oracle.com/xml/jaxp/properties/"; + public static final String XML_SECURITY_PROPERTY_MANAGER = + ORACLE_JAXP_PROPERTY_PREFIX + "xmlSecurityPropertyManager"; + //System Properties corresponding to ACCESS_EXTERNAL_* properties public static final String SP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD"; public static final String SP_ACCESS_EXTERNAL_SCHEMA = "javax.xml.accessExternalSchema"; @@ -194,15 +197,16 @@ * Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true */ public static final String EXTERNAL_ACCESS_DEFAULT_FSP = ""; - /** - * JDK version by which the default is to restrict external connection - */ - public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8; /** * FEATURE_SECURE_PROCESSING (FSP) is true by default */ public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL; + + /** + * Check if we're in jdk8 or above + */ + public static final boolean IS_JDK8_OR_ABOVE = isJavaVersionAtLeast(8); // // DOM features @@ -697,6 +701,27 @@ ? new ArrayEnumeration(fgXercesProperties) : fgEmptyEnumeration; } // getXercesProperties():Enumeration + /* + * Check the version of the current JDK against that specified in the + * parameter + * + * There is a proposal to change the java version string to: + * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL + * This method would work with both the current format and that proposed + * + * @param compareTo a JDK version to be compared to + * @return true if the current version is the same or above that represented + * by the parameter + */ + public static boolean isJavaVersionAtLeast(int compareTo) { + String javaVersion = SecuritySupport.getSystemProperty("java.version"); + String versions[] = javaVersion.split("\\.", 3); + if (Integer.parseInt(versions[0]) >= compareTo || + Integer.parseInt(versions[1]) >= compareTo) { + return true; + } + return false; + } // // Classes --- old/src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java Mon Jul 8 17:48:32 2013 +++ new/src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java Mon Jul 8 17:48:27 2013 @@ -25,10 +25,9 @@ package com.sun.org.apache.xerces.internal.impl; -import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.xml.internal.stream.StaxEntityResolverWrapper; import java.util.HashMap; -import javax.xml.XMLConstants; import javax.xml.stream.XMLInputFactory; import javax.xml.stream.XMLOutputFactory; import javax.xml.stream.XMLResolver; @@ -51,15 +50,14 @@ private static final String STRING_INTERNING = "http://xml.org/sax/features/string-interning"; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; - /** Property identifier: access to external dtd */ - protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; - - /** Property identifier: access to external schema */ - protected static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; - HashMap supportedProps = new HashMap(); + private XMLSecurityPropertyManager fSecurityPropertyMgr; + public static final int CONTEXT_READER = 1; public static final int CONTEXT_WRITER = 2; @@ -84,6 +82,7 @@ HashMap properties = propertyManager.getProperties(); supportedProps.putAll(properties); + fSecurityPropertyMgr = (XMLSecurityPropertyManager)getProperty(XML_SECURITY_PROPERTY_MANAGER); } private HashMap getProperties(){ @@ -125,14 +124,8 @@ supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_DUPLICATE_ENTITYDEF_FEATURE, new Boolean(false)); supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_UNDECLARED_ELEMDEF_FEATURE, new Boolean(false)); - //For DOM/SAX, the secure feature is set to true by default - String accessExternal = SecuritySupport.getDefaultAccessProperty( - Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT); - supportedProps.put(ACCESS_EXTERNAL_DTD, accessExternal); - - accessExternal = SecuritySupport.getDefaultAccessProperty( - Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT); - supportedProps.put(ACCESS_EXTERNAL_SCHEMA, accessExternal); + fSecurityPropertyMgr = new XMLSecurityPropertyManager(); + supportedProps.put(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); } private void initWriterProps(){ @@ -148,7 +141,8 @@ * } */ public boolean containsProperty(String property){ - return supportedProps.containsKey(property) ; + return supportedProps.containsKey(property) || + fSecurityPropertyMgr.getIndex(property) > -1 ; } public Object getProperty(String property){ @@ -174,7 +168,15 @@ //add internal stax property supportedProps.put( Constants.XERCES_PROPERTY_PREFIX + Constants.STAX_ENTITY_RESOLVER_PROPERTY , new StaxEntityResolverWrapper((XMLResolver)value)) ; } - supportedProps.put(property, value ) ; + + int index = fSecurityPropertyMgr.getIndex(property); + if (index > -1) { + fSecurityPropertyMgr.setValue(index, + XMLSecurityPropertyManager.State.APIPROPERTY, (String)value); + } else { + supportedProps.put(property, value); + } + if(equivalentProperty != null){ supportedProps.put(equivalentProperty, value ) ; } --- old/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Mon Jul 8 17:48:37 2013 +++ new/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Mon Jul 8 17:48:37 2013 @@ -53,6 +53,7 @@ import com.sun.org.apache.xerces.internal.util.SecurityManager; import com.sun.org.apache.xerces.internal.util.NamespaceSupport; import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.NamespaceContext; import com.sun.xml.internal.stream.Entity; import javax.xml.XMLConstants; @@ -166,8 +167,9 @@ protected static final String STANDARD_URI_CONFORMANT = Constants.XERCES_FEATURE_PREFIX +Constants.STANDARD_URI_CONFORMANT_FEATURE; - /** property identifier: access external dtd. */ - protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; /** access external dtd: file protocol * For DOM/SAX, the secure feature is set to true by default @@ -199,7 +201,7 @@ SYMBOL_TABLE, ERROR_REPORTER, ENTITY_MANAGER, - ACCESS_EXTERNAL_DTD + XML_SECURITY_PROPERTY_MANAGER }; /** Property defaults. */ @@ -610,7 +612,10 @@ dtdGrammarUtil = null; // JAXP 1.5 features and properties - fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT); + XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) + componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER, null); + fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD); + fStrictURI = componentManager.getFeature(STANDARD_URI_CONFORMANT, false); //fEntityManager.test(); @@ -662,9 +667,10 @@ dtdGrammarUtil = null; - // Oracle jdk feature - fAccessExternalDTD = (String) propertyManager.getProperty(ACCESS_EXTERNAL_DTD); - + // JAXP 1.5 features and properties + XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) + propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER); + fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD); } // reset(XMLComponentManager) /** @@ -762,11 +768,10 @@ } //JAXP 1.5 properties - if (propertyId.startsWith(Constants.JAXPAPI_PROPERTY_PREFIX)) { - if (propertyId.equals(ACCESS_EXTERNAL_DTD)) - { - fAccessExternalDTD = (String)value; - } + if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER)) + { + XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)value; + fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD); } } // setProperty(String,Object) --- old/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Mon Jul 8 17:48:46 2013 +++ new/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Mon Jul 8 17:48:42 2013 @@ -31,6 +31,7 @@ import com.sun.org.apache.xerces.internal.util.SecurityManager; import com.sun.org.apache.xerces.internal.util.URI; import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.Augmentations; import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier; import com.sun.org.apache.xerces.internal.xni.XNIException; @@ -166,8 +167,9 @@ protected static final String PARSER_SETTINGS = Constants.XERCES_FEATURE_PREFIX + Constants.PARSER_SETTINGS; - /** property identifier: access external dtd. */ - protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; /** access external dtd: file protocol */ static final String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT; @@ -203,7 +205,7 @@ VALIDATION_MANAGER, BUFFER_SIZE, SECURITY_MANAGER, - ACCESS_EXTERNAL_DTD + XML_SECURITY_PROPERTY_MANAGER }; /** Property defaults. */ @@ -214,7 +216,7 @@ null, new Integer(DEFAULT_BUFFER_SIZE), null, - EXTERNAL_ACCESS_DEFAULT + null }; private static final String XMLEntity = "[xml]".intern(); @@ -1421,7 +1423,8 @@ fLoadExternalDTD = !((Boolean)propertyManager.getProperty(Constants.ZEPHYR_PROPERTY_PREFIX + Constants.IGNORE_EXTERNAL_DTD)).booleanValue(); // JAXP 1.5 feature - fAccessExternalDTD = (String) propertyManager.getProperty(ACCESS_EXTERNAL_DTD); + XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER); + fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD); // initialize state //fStandalone = false; @@ -1485,7 +1488,11 @@ fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER, null); // JAXP 1.5 feature - fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT); + XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER, null); + if (spm == null) { + spm = new XMLSecurityPropertyManager(); + } + fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD); //reset general state reset(); @@ -1641,11 +1648,10 @@ } //JAXP 1.5 properties - if (propertyId.startsWith(Constants.JAXPAPI_PROPERTY_PREFIX)) { - if (propertyId.equals(ACCESS_EXTERNAL_DTD)) - { - fAccessExternalDTD = (String)value; - } + if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER)) + { + XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)value; + fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD); } } --- old/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaLoader.java Mon Jul 8 17:48:54 2013 +++ new/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaLoader.java Mon Jul 8 17:48:52 2013 @@ -54,6 +54,7 @@ import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.util.XMLSymbols; import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.grammars.Grammar; import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription; @@ -218,6 +219,10 @@ protected static final String ENTITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.ENTITY_MANAGER_PROPERTY; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; + /** Property identifier: access to external dtd */ public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; @@ -238,8 +243,7 @@ SECURITY_MANAGER, LOCALE, SCHEMA_DV_FACTORY, - ACCESS_EXTERNAL_DTD, - ACCESS_EXTERNAL_SCHEMA + XML_SECURITY_PROPERTY_MANAGER }; // Data @@ -270,7 +274,6 @@ private final CMNodeFactory fNodeFactory = new CMNodeFactory(); //component mgr will be set later private CMBuilder fCMBuilder; private XSDDescription fXSDDescription = new XSDDescription(); - private String faccessExternalDTD = Constants.EXTERNAL_ACCESS_DEFAULT; private String faccessExternalSchema = Constants.EXTERNAL_ACCESS_DEFAULT; private Map fJAXPCache; @@ -466,12 +469,10 @@ fErrorReporter.putMessageFormatter(XSMessageFormatter.SCHEMA_DOMAIN, new XSMessageFormatter()); } } - else if (propertyId.equals(ACCESS_EXTERNAL_DTD)) { - faccessExternalDTD = (String) state; + else if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER)) { + XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)state; + faccessExternalSchema = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA); } - else if (propertyId.equals(ACCESS_EXTERNAL_SCHEMA)) { - faccessExternalSchema = (String) state; - } } // setProperty(String, Object) /** @@ -1066,8 +1067,8 @@ fSchemaHandler.setGenerateSyntheticAnnotations(componentManager.getFeature(GENERATE_SYNTHETIC_ANNOTATIONS, false)); fSchemaHandler.reset(componentManager); - faccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD); - faccessExternalSchema = (String) componentManager.getProperty(ACCESS_EXTERNAL_SCHEMA); + XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER); + faccessExternalSchema = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA); } private void initGrammarBucket(){ --- old/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaValidator.java Mon Jul 8 17:49:01 2013 +++ new/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaValidator.java Mon Jul 8 17:48:59 2013 @@ -233,12 +233,10 @@ protected static final String SCHEMA_DV_FACTORY = Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY; - /** property identifier: access external dtd. */ - private static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; - /** Property identifier: access to external schema */ - private static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; - protected static final String USE_SERVICE_MECHANISM = Constants.ORACLE_FEATURE_SERVICE_MECHANISM; // recognized features and properties @@ -297,8 +295,7 @@ JAXP_SCHEMA_SOURCE, JAXP_SCHEMA_LANGUAGE, SCHEMA_DV_FACTORY, - ACCESS_EXTERNAL_DTD, - ACCESS_EXTERNAL_SCHEMA + XML_SECURITY_PROPERTY_MANAGER }; /** Property defaults. */ --- old/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java Mon Jul 8 17:49:06 2013 +++ new/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java Mon Jul 8 17:49:06 2013 @@ -78,6 +78,7 @@ import com.sun.org.apache.xerces.internal.util.XMLSymbols; import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException; import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.QName; import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.grammars.Grammar; @@ -112,6 +113,7 @@ import org.w3c.dom.Node; import org.xml.sax.InputSource; import org.xml.sax.SAXException; +import org.xml.sax.SAXNotRecognizedException; import org.xml.sax.SAXParseException; import org.xml.sax.XMLReader; import org.xml.sax.helpers.XMLReaderFactory; @@ -223,12 +225,10 @@ protected static final String LOCALE = Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY; - /** property identifier: access external dtd. */ - public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; - /** Property identifier: access to external schema */ - public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; - protected static final boolean DEBUG_NODE_POOL = false; // Data @@ -260,6 +260,7 @@ protected SecurityManager fSecureProcessing = null; private String fAccessExternalSchema; + private String fAccessExternalDTD; // These tables correspond to the symbol spaces defined in the // spec. @@ -2249,6 +2250,13 @@ } } catch (SAXException se) {} + + try { + parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, fAccessExternalDTD); + } catch (SAXNotRecognizedException exc) { + System.err.println("Warning: " + parser.getClass().getName() + ": " + + exc.getMessage()); + } } // If XML names and Namespace URIs are already internalized we // can avoid running them through the SymbolTable. @@ -3580,11 +3588,17 @@ } catch (XMLConfigurationException e) { } - //For Schema validation, the secure feature is set to true by default - fSchemaParser.setProperty(ACCESS_EXTERNAL_DTD, - componentManager.getProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT)); - fAccessExternalSchema = (String) componentManager.getProperty( - ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT); + XMLSecurityPropertyManager securityPropertyMgr = (XMLSecurityPropertyManager) + componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER); + //Passing on the setting to the parser + fSchemaParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, securityPropertyMgr); + + fAccessExternalDTD = securityPropertyMgr.getValue( + XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD); + + fAccessExternalSchema = securityPropertyMgr.getValue( + XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA); + } // reset(XMLComponentManager) --- old/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java Mon Jul 8 17:49:17 2013 +++ new/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java Mon Jul 8 17:49:12 2013 @@ -37,6 +37,9 @@ import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer; import com.sun.org.apache.xerces.internal.parsers.DOMParser; import com.sun.org.apache.xerces.internal.util.SecurityManager; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.Property; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.State; import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler; import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent; import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager; @@ -97,6 +100,10 @@ private static final String SECURITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; + /** property identifier: access external dtd. */ public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; @@ -103,6 +110,7 @@ /** Property identifier: access to external schema */ public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; + private final DOMParser domParser; private final Schema grammar; @@ -117,6 +125,8 @@ /** Initial EntityResolver */ private final EntityResolver fInitEntityResolver; + private XMLSecurityPropertyManager fSecurityPropertyMgr; + DocumentBuilderImpl(DocumentBuilderFactoryImpl dbf, Hashtable dbfAttrs, Hashtable features) throws SAXNotRecognizedException, SAXNotSupportedException { this(dbf, dbfAttrs, features, false); @@ -160,23 +170,27 @@ domParser.setFeature(XINCLUDE_FEATURE, true); } + fSecurityPropertyMgr = new XMLSecurityPropertyManager(); + domParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); + // If the secure processing feature is on set a security manager. if (secureProcessing) { domParser.setProperty(SECURITY_MANAGER, new SecurityManager()); - /** - * By default, secure processing is set, no external access is allowed. - * However, we need to check if it is actively set on the factory since we - * allow the use of the System Property or jaxp.properties to override - * the default value + /** + * If secure processing is explicitly set on the factory, the + * access properties will be set unless the corresponding + * System Properties or jaxp.properties are set */ if (features != null) { Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING); if (temp != null) { boolean value = ((Boolean) temp).booleanValue(); - if (value) { - domParser.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); - domParser.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + if (value && Constants.IS_JDK8_OR_ABOVE) { + fSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_DTD, + State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + fSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_SCHEMA, + State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); } } } @@ -220,7 +234,7 @@ setFeatures(features); } - // Set attributes + //setAttribute override those that may be set by other means setDocumentBuilderFactoryAttributes(dbfAttrs); // Initial EntityResolver @@ -275,26 +289,32 @@ // spec when schema validation is enabled domParser.setProperty(JAXP_SCHEMA_LANGUAGE, W3C_XML_SCHEMA); } - } - } else if(JAXP_SCHEMA_SOURCE.equals(name)){ - if( isValidating() ) { - String value=(String)dbfAttrs.get(JAXP_SCHEMA_LANGUAGE); - if(value !=null && W3C_XML_SCHEMA.equals(value)){ - domParser.setProperty(name, val); - }else{ + } + } else if(JAXP_SCHEMA_SOURCE.equals(name)){ + if( isValidating() ) { + String value=(String)dbfAttrs.get(JAXP_SCHEMA_LANGUAGE); + if(value !=null && W3C_XML_SCHEMA.equals(value)){ + domParser.setProperty(name, val); + }else{ throw new IllegalArgumentException( DOMMessageFormatter.formatMessage(DOMMessageFormatter.DOM_DOMAIN, "jaxp-order-not-supported", new Object[] {JAXP_SCHEMA_LANGUAGE, JAXP_SCHEMA_SOURCE})); - } - } - } else { - // Let Xerces code handle the property - domParser.setProperty(name, val); - } } - } + } + } else { + int index = fSecurityPropertyMgr.getIndex(name); + if (index > -1) { + fSecurityPropertyMgr.setValue(index, + XMLSecurityPropertyManager.State.APIPROPERTY, (String)val); + } else { + // Let Xerces code handle the property + domParser.setProperty(name, val); + } + } + } } + } /** * Non-preferred: use the getDOMImplementation() method instead of this --- old/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java Mon Jul 8 17:49:22 2013 +++ new/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java Mon Jul 8 17:49:22 2013 @@ -36,6 +36,7 @@ import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter; import com.sun.org.apache.xerces.internal.util.SecurityManager; import com.sun.org.apache.xerces.internal.util.Status; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler; import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent; import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager; @@ -92,12 +93,10 @@ private static final String SECURITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; - /** property identifier: access external dtd. */ - public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; - /** Property identifier: access to external schema */ - public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; - private final JAXPSAXParser xmlReader; private String schemaLanguage = null; // null means DTD private final Schema grammar; @@ -113,6 +112,8 @@ /** Initial EntityResolver */ private final EntityResolver fInitEntityResolver; + private XMLSecurityPropertyManager fSecurityPropertyMgr; + /** * Create a SAX parser with the associated features * @param features Hashtable of SAX features, may be null @@ -149,6 +150,9 @@ xmlReader.setFeature0(XINCLUDE_FEATURE, true); } + fSecurityPropertyMgr = new XMLSecurityPropertyManager(); + xmlReader.setProperty0(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); + // If the secure processing feature is on set a security manager. if (secureProcessing) { xmlReader.setProperty0(SECURITY_MANAGER, new SecurityManager()); @@ -162,10 +166,13 @@ Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING); if (temp != null) { boolean value = ((Boolean) temp).booleanValue(); - if (value) { - xmlReader.setProperty0(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); - xmlReader.setProperty0(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); - } + if (value && Constants.IS_JDK8_OR_ABOVE) { + fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD, + XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA, + XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + + } } } } @@ -530,14 +537,21 @@ return; } } - if (!fInitProperties.containsKey(name)) { - fInitProperties.put(name, super.getProperty(name)); - } /** Forward property to the schema validator if there is one. **/ if (fSAXParser != null && fSAXParser.fSchemaValidator != null) { setSchemaValidatorProperty(name, value); } - super.setProperty(name, value); + /** Check to see if the property is managed by the property manager **/ + int index = fSAXParser.fSecurityPropertyMgr.getIndex(name); + if (index > -1) { + fSAXParser.fSecurityPropertyMgr.setValue(index, + XMLSecurityPropertyManager.State.APIPROPERTY, (String)value); + } else { + if (!fInitProperties.containsKey(name)) { + fInitProperties.put(name, super.getProperty(name)); + } + super.setProperty(name, value); + } } public synchronized Object getProperty(String name) @@ -550,6 +564,11 @@ // JAXP 1.2 support return fSAXParser.schemaLanguage; } + int index = fSAXParser.fSecurityPropertyMgr.getIndex(name); + if (index > -1) { + return fSAXParser.fSecurityPropertyMgr.getValueByIndex(index); + } + return super.getProperty(name); } --- old/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Mon Jul 8 17:49:32 2013 +++ new/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Mon Jul 8 17:49:27 2013 @@ -177,11 +177,11 @@ } config.setProperty(SYMBOL_TABLE, fComponentManager.getProperty(SYMBOL_TABLE)); config.setProperty(VALIDATION_MANAGER, fComponentManager.getProperty(VALIDATION_MANAGER)); - config.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, - fComponentManager.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD)); config.setDocumentHandler(fSchemaValidator); config.setDTDHandler(null); config.setDTDContentModelHandler(null); + config.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, + fComponentManager.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER)); fConfiguration = new SoftReference(config); return config; } --- old/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Mon Jul 8 17:49:37 2013 +++ new/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Mon Jul 8 17:49:36 2013 @@ -53,6 +53,7 @@ import com.sun.org.apache.xerces.internal.util.URI; import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl; import com.sun.org.apache.xerces.internal.util.XMLSymbols; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.Augmentations; import com.sun.org.apache.xerces.internal.xni.NamespaceContext; import com.sun.org.apache.xerces.internal.xni.QName; @@ -134,6 +135,10 @@ private static final String VALIDATION_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.VALIDATION_MANAGER_PROPERTY; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; + // // Data // @@ -686,8 +691,10 @@ catch (SAXException exc) {} } try { - reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, - fComponentManager.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD)); + XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) + fComponentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER); + reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, + spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD)); } catch (SAXException exc) { System.err.println("Warning: " + reader.getClass().getName() + ": " + exc.getMessage()); --- old/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Mon Jul 8 17:49:45 2013 +++ new/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Mon Jul 8 17:49:41 2013 @@ -45,7 +45,7 @@ import com.sun.org.apache.xerces.internal.util.StAXInputSource; import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl; -import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.grammars.Grammar; import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription; @@ -83,11 +83,10 @@ private static final String SECURITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; - /** property identifier: access external dtd. */ - public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; - /** Property identifier: access to external schema */ - public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; // // Data @@ -111,6 +110,9 @@ /** The SecurityManager. */ private SecurityManager fSecurityManager; + /** The Security property manager. */ + private XMLSecurityPropertyManager fSecurityPropertyMgr; + /** The container for the real grammar pool. */ private XMLGrammarPoolWrapper fXMLGrammarPoolWrapper; @@ -120,6 +122,8 @@ * Note the default value (false) is the safe option.. */ private final boolean fUseServicesMechanism; + + public XMLSchemaFactory() { this(true); } @@ -140,13 +144,9 @@ fSecurityManager = new SecurityManager(); fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager); - //by default, the secure feature is set to true, otherwise the default would have been 'file' - String accessExternal = SecuritySupport.getDefaultAccessProperty( - Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT); - fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, accessExternal); - accessExternal = SecuritySupport.getDefaultAccessProperty( - Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT); - fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, accessExternal); + fSecurityPropertyMgr = new XMLSecurityPropertyManager(); + fXMLSchemaLoader.setProperty(XML_SECURITY_PROPERTY_MANAGER, + fSecurityPropertyMgr); } /** @@ -282,6 +282,7 @@ schema = new EmptyXMLSchema(); } propagateFeatures(schema); + propagateProperties(schema); return schema; } @@ -366,8 +367,13 @@ } if (value) { fSecurityManager = new SecurityManager(); - fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); - fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + + if (Constants.IS_JDK8_OR_ABOVE) { + fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD, + XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA, + XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + } } else { fSecurityManager = null; } @@ -414,7 +420,13 @@ "property-not-supported", new Object [] {name})); } try { - fXMLSchemaLoader.setProperty(name, object); + int index = fSecurityPropertyMgr.getIndex(name); + if (index > -1) { + fSecurityPropertyMgr.setValue(index, + XMLSecurityPropertyManager.State.APIPROPERTY, (String)object); + } else { + fXMLSchemaLoader.setProperty(name, object); + } } catch (XMLConfigurationException e) { String identifier = e.getIdentifier(); --- old/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java Mon Jul 8 17:49:50 2013 +++ new/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java Mon Jul 8 17:49:50 2013 @@ -42,6 +42,7 @@ import com.sun.org.apache.xerces.internal.util.SecurityManager; import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.SymbolTable; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.NamespaceContext; import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent; @@ -107,6 +108,10 @@ private static final String SECURITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; + /** Property identifier: security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; + /** Property identifier: symbol table. */ private static final String SYMBOL_TABLE = Constants.XERCES_PROPERTY_PREFIX + Constants.SYMBOL_TABLE_PROPERTY; @@ -123,12 +128,6 @@ private static final String LOCALE = Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY; - /** property identifier: access external dtd. */ - private static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; - - /** Property identifier: access to external schema */ - private static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; - // // Data // @@ -184,6 +183,9 @@ /** Stores the initial security manager. */ private final SecurityManager fInitSecurityManager; + /** Stores the initial security property manager. */ + private final XMLSecurityPropertyManager fSecurityPropertyMgr; + // // User Objects // @@ -250,8 +252,9 @@ fComponents.put(SECURITY_MANAGER, fInitSecurityManager); //pass on properties set on SchemaFactory - setProperty(ACCESS_EXTERNAL_DTD, grammarContainer.getProperty(ACCESS_EXTERNAL_DTD)); - setProperty(ACCESS_EXTERNAL_SCHEMA, grammarContainer.getProperty(ACCESS_EXTERNAL_SCHEMA)); + fSecurityPropertyMgr = (XMLSecurityPropertyManager) + grammarContainer.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER); + setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); } /** @@ -309,6 +312,15 @@ throw new XMLConfigurationException(Status.NOT_ALLOWED, XMLConstants.FEATURE_SECURE_PROCESSING); } setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null); + + if (value && Constants.IS_JDK8_OR_ABOVE) { + fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD, + XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA, + XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); + } + return; } fConfigUpdated = true; --- old/src/com/sun/org/apache/xerces/internal/parsers/DOMParser.java Mon Jul 8 17:49:58 2013 +++ new/src/com/sun/org/apache/xerces/internal/parsers/DOMParser.java Mon Jul 8 17:49:55 2013 @@ -29,6 +29,7 @@ import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter; import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.SymbolTable; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool; import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException; @@ -74,6 +75,10 @@ protected static final String REPORT_WHITESPACE = Constants.SUN_SCHEMA_FEATURE_PREFIX + Constants.SUN_REPORT_IGNORED_ELEMENT_CONTENT_WHITESPACE; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; + // recognized features: private static final String[] RECOGNIZED_FEATURES = { REPORT_WHITESPACE @@ -579,6 +584,13 @@ } try { + XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) + fConfiguration.getProperty(XML_SECURITY_PROPERTY_MANAGER); + int index = spm.getIndex(propertyId); + if (index > -1) { + return spm.getValueByIndex(index); + } + return fConfiguration.getProperty(propertyId); } catch (XMLConfigurationException e) { --- old/src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java Mon Jul 8 17:50:02 2013 +++ new/src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java Mon Jul 8 17:50:02 2013 @@ -22,8 +22,11 @@ import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.util.SymbolTable; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool; import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; /** * This is the main Xerces SAX parser class. It uses the abstract SAX @@ -120,4 +123,24 @@ } // (SymbolTable,XMLGrammarPool) + /** + * Sets the particular property in the underlying implementation of + * org.xml.sax.XMLReader. + */ + public void setProperty(String name, Object value) + throws SAXNotRecognizedException, SAXNotSupportedException { + XMLSecurityPropertyManager spm = new XMLSecurityPropertyManager(); + int index = spm.getIndex(name); + if (index > -1) { + /** + * this is a direct call to this parser, not a subclass since + * internally the support of this property is done through + * XMLSecurityPropertyManager + */ + spm.setValue(index, XMLSecurityPropertyManager.State.APIPROPERTY, (String)value); + super.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, spm); + } else { + super.setProperty(name, value); + } + } } // class SAXParser --- old/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java Mon Jul 8 17:50:10 2013 +++ new/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java Mon Jul 8 17:50:07 2013 @@ -20,12 +20,10 @@ package com.sun.org.apache.xerces.internal.parsers; -import java.io.File; import java.io.IOException; import java.util.ArrayList; import java.util.HashMap; import java.util.Locale; -import java.util.Properties; import javax.xml.XMLConstants; import com.sun.org.apache.xerces.internal.impl.Constants; @@ -53,9 +51,8 @@ import com.sun.org.apache.xerces.internal.util.FeatureState; import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings; import com.sun.org.apache.xerces.internal.util.PropertyState; -import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.SymbolTable; -import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler; import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler; import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler; @@ -278,11 +275,10 @@ protected static final String SCHEMA_DV_FACTORY = Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY; - /** Property identifier: access to external dtd */ - protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + /** Property identifier: Security property manager. */ + private static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; - /** Property identifier: access to external schema */ - protected static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; // debugging @@ -535,8 +531,7 @@ SCHEMA_NONS_LOCATION, LOCALE, SCHEMA_DV_FACTORY, - ACCESS_EXTERNAL_DTD, - ACCESS_EXTERNAL_SCHEMA + XML_SECURITY_PROPERTY_MANAGER }; addRecognizedProperties(recognizedProperties); @@ -584,15 +579,8 @@ fVersionDetector = new XMLVersionDetector(); - //FEATURE_SECURE_PROCESSING is true, see the feature above - String accessExternal = SecuritySupport.getDefaultAccessProperty( - Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT); - fProperties.put(ACCESS_EXTERNAL_DTD, accessExternal); + fProperties.put(XML_SECURITY_PROPERTY_MANAGER, new XMLSecurityPropertyManager()); - accessExternal = SecuritySupport.getDefaultAccessProperty( - Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT); - fProperties.put(ACCESS_EXTERNAL_SCHEMA, accessExternal); - // add message formatters if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) { XMLMessageFormatter xmft = new XMLMessageFormatter(); --- old/src/com/sun/org/apache/xerces/internal/utils/SecuritySupport.java Mon Jul 8 17:50:16 2013 +++ new/src/com/sun/org/apache/xerces/internal/utils/SecuritySupport.java Mon Jul 8 17:50:16 2013 @@ -223,7 +223,8 @@ * @return the name of the protocol if rejected, null otherwise */ public static String checkAccess(String systemId, String allowedProtocols, String accessAny) throws IOException { - if (systemId == null || allowedProtocols.equalsIgnoreCase(accessAny)) { + if (systemId == null || (allowedProtocols != null && + allowedProtocols.equalsIgnoreCase(accessAny))) { return null; } @@ -256,6 +257,9 @@ * @return true if the protocol is in the list */ private static boolean isProtocolAllowed(String protocol, String allowedProtocols) { + if (allowedProtocols == null) { + return false; + } String temp[] = allowedProtocols.split(","); for (String t : temp) { t = t.trim(); @@ -267,18 +271,16 @@ } /** - * Read from $java.home/lib/jaxp.properties for the specified property + * Read JAXP system property in this order: system property, + * $java.home/lib/jaxp.properties if the system property is not specified * * @param propertyId the Id of the property * @return the value of the property */ - public static String getDefaultAccessProperty(String sysPropertyId, String defaultVal) { - String accessExternal = SecuritySupport.getSystemProperty(sysPropertyId); + public static String getJAXPSystemProperty(String sysPropertyId) { + String accessExternal = getSystemProperty(sysPropertyId); if (accessExternal == null) { accessExternal = readJAXPProperty(sysPropertyId); - if (accessExternal == null) { - accessExternal = defaultVal; - } } return accessExternal; } --- old/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java Mon Jul 8 17:50:26 2013 +++ new/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java Mon Jul 8 17:50:21 2013 @@ -68,6 +68,7 @@ import com.sun.org.apache.xerces.internal.xpointer.XPointerHandler; import com.sun.org.apache.xerces.internal.xpointer.XPointerProcessor; import com.sun.org.apache.xerces.internal.utils.ObjectFactory; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import java.util.Objects; /** @@ -231,14 +232,10 @@ protected static final String PARSER_SETTINGS = Constants.XERCES_FEATURE_PREFIX + Constants.PARSER_SETTINGS; - /** property identifier: access external dtd. */ - protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + /** property identifier: XML security property manager. */ + protected static final String XML_SECURITY_PROPERTY_MANAGER = + Constants.XML_SECURITY_PROPERTY_MANAGER; - /** access external dtd: file protocol - * For DOM/SAX, the secure feature is set to true by default - */ - final static String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT; - /** Recognized features. */ private static final String[] RECOGNIZED_FEATURES = { ALLOW_UE_AND_NOTATION_EVENTS, XINCLUDE_FIXUP_BASE_URIS, XINCLUDE_FIXUP_LANGUAGE }; @@ -293,13 +290,8 @@ protected XMLErrorReporter fErrorReporter; protected XMLEntityResolver fEntityResolver; protected SecurityManager fSecurityManager; - /** - * comma-delimited list of protocols that are allowed for the purpose - * of accessing external dtd or entity references - */ - protected String fAccessExternalDTD = EXTERNAL_ACCESS_DEFAULT; + protected XMLSecurityPropertyManager fSecurityPropertyMgr; - // these are needed for text include processing protected XIncludeTextReader fXInclude10TextReader; protected XIncludeTextReader fXInclude11TextReader; @@ -540,7 +532,8 @@ fSecurityManager = null; } - fAccessExternalDTD = (String)componentManager.getProperty(ACCESS_EXTERNAL_DTD); + fSecurityPropertyMgr = (XMLSecurityPropertyManager) + componentManager.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER); // Get buffer size. try { @@ -687,11 +680,13 @@ } return; } - if (propertyId.equals(ACCESS_EXTERNAL_DTD)) { - fAccessExternalDTD = (String)value; + if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER)) { + fSecurityPropertyMgr = (XMLSecurityPropertyManager)value; + if (fChildConfig != null) { - fChildConfig.setProperty(propertyId, value); + fChildConfig.setProperty(XML_SECURITY_PROPERTY_MANAGER, value); } + return; } @@ -1652,7 +1647,7 @@ if (fErrorReporter != null) fChildConfig.setProperty(ERROR_REPORTER, fErrorReporter); if (fEntityResolver != null) fChildConfig.setProperty(ENTITY_RESOLVER, fEntityResolver); fChildConfig.setProperty(SECURITY_MANAGER, fSecurityManager); - fChildConfig.setProperty(ACCESS_EXTERNAL_DTD, fAccessExternalDTD); + fChildConfig.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); fChildConfig.setProperty(BUFFER_SIZE, new Integer(fBufferSize)); // features must be copied to child configuration --- old/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java Mon Jul 8 17:50:35 2013 +++ new/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java Mon Jul 8 17:50:34 2013 @@ -140,12 +140,6 @@ // Try to carry on if we've got a parser that // doesn't know about namespace prefixes. } - try { - reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD); - } catch (SAXException se) { - System.err.println("Warning: " + reader.getClass().getName() + ": " - + se.getMessage()); - } } catch (ParserConfigurationException ex) { throw new SAXException(ex); } catch (FactoryConfigurationError ex1) { @@ -162,6 +156,14 @@ } } + try { + //reader is cached, but this property might have been reset + reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD); + } catch (SAXException se) { + System.err.println("Warning: " + reader.getClass().getName() + ": " + + se.getMessage()); + } + return reader; } --- /dev/null Mon Jul 8 17:50:42 2013 +++ new/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityPropertyManager.java Mon Jul 8 17:50:40 2013 @@ -0,0 +1,193 @@ +/* + * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package com.sun.org.apache.xalan.internal.utils; + + +import com.sun.org.apache.xalan.internal.XalanConstants; +import javax.xml.XMLConstants; + +/** + * This class manages security related properties + * + */ +public final class XMLSecurityPropertyManager { + + /** + * States of the settings of a property, in the order: default value, value + * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system + * properties, and jaxp api properties + */ + public static enum State { + //this order reflects the overriding order + DEFAULT, FSP, JAXPDOTPROPERTIES, SYSTEMPROPERTY, APIPROPERTY + } + + /** + * Limits managed by the security manager + */ + public static enum Property { + ACCESS_EXTERNAL_DTD(XMLConstants.ACCESS_EXTERNAL_DTD, + XalanConstants.EXTERNAL_ACCESS_DEFAULT), + ACCESS_EXTERNAL_STYLESHEET(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, + XalanConstants.EXTERNAL_ACCESS_DEFAULT); + + final String name; + final String defaultValue; + + Property(String name, String value) { + this.name = name; + this.defaultValue = value; + } + + public boolean equalsName(String propertyName) { + return (propertyName == null) ? false : name.equals(propertyName); + } + + String defaultValue() { + return defaultValue; + } + } + + + /** + * Values of the properties as defined in enum Properties + */ + private final String[] values; + /** + * States of the settings for each property in Properties above + */ + private State[] states = {State.DEFAULT, State.DEFAULT}; + + /** + * Default constructor. Establishes default values + */ + public XMLSecurityPropertyManager() { + values = new String[Property.values().length]; + for (Property property : Property.values()) { + values[property.ordinal()] = property.defaultValue(); + } + //read system properties or jaxp.properties + readSystemProperties(); + } + + /** + * Set the value for a specific property. + * + * @param property the property + * @param state the state of the property + * @param value the value of the property + */ + public void setValue(Property property, State state, String value) { + //only update if it shall override + if (state.compareTo(states[property.ordinal()]) >= 0) { + values[property.ordinal()] = value; + states[property.ordinal()] = state; + } + } + + /** + * Set the value of a property by its index + * @param index the index of the property + * @param state the state of the property + * @param value the value of the property + */ + public void setValue(int index, State state, String value) { + //only update if it shall override + if (state.compareTo(states[index]) >= 0) { + values[index] = value; + states[index] = state; + } + } + /** + * Return the value of the specified property + * + * @param property the property + * @return the value of the property + */ + public String getValue(Property property) { + return values[property.ordinal()]; + } + + /** + * Return the value of a property by its ordinal + * @param index the index of a property + * @return value of a property + */ + public String getValueByIndex(int index) { + return values[index]; + } + + /** + * Get the index by property name + * @param propertyName property name + * @return the index of the property if found; return -1 if not + */ + public int getIndex(String propertyName){ + for (Property property : Property.values()) { + if (property.equalsName(propertyName)) { + //internally, ordinal is used as index + return property.ordinal(); + } + } + return -1; + } + + /** + * Read from system properties, or those in jaxp.properties + */ + private void readSystemProperties() { + getSystemProperty(Property.ACCESS_EXTERNAL_DTD, + XalanConstants.SP_ACCESS_EXTERNAL_DTD); + getSystemProperty(Property.ACCESS_EXTERNAL_STYLESHEET, + XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET); + } + + /** + * Read from system properties, or those in jaxp.properties + * + * @param property the property + * @param systemProperty the name of the system property + */ + private void getSystemProperty(Property property, String systemProperty) { + try { + String value = SecuritySupport.getSystemProperty(systemProperty); + if (value != null) { + values[property.ordinal()] = value; + states[property.ordinal()] = State.SYSTEMPROPERTY; + return; + } + + value = SecuritySupport.readJAXPProperty(systemProperty); + if (value != null) { + values[property.ordinal()] = value; + states[property.ordinal()] = State.JAXPDOTPROPERTIES; + } + } catch (NumberFormatException e) { + //invalid setting ignored + } + } +} + --- /dev/null Mon Jul 8 17:50:48 2013 +++ new/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityPropertyManager.java Mon Jul 8 17:50:48 2013 @@ -0,0 +1,191 @@ +/* + * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package com.sun.org.apache.xerces.internal.utils; + +import com.sun.org.apache.xerces.internal.impl.Constants; +import javax.xml.XMLConstants; + +/** + * This class manages security related properties + * + */ +public final class XMLSecurityPropertyManager { + + /** + * States of the settings of a property, in the order: default value, value + * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system + * properties, and jaxp api properties + */ + public static enum State { + //this order reflects the overriding order + DEFAULT, FSP, JAXPDOTPROPERTIES, SYSTEMPROPERTY, APIPROPERTY + } + + /** + * Limits managed by the security manager + */ + public static enum Property { + ACCESS_EXTERNAL_DTD(XMLConstants.ACCESS_EXTERNAL_DTD, + Constants.EXTERNAL_ACCESS_DEFAULT), + ACCESS_EXTERNAL_SCHEMA(XMLConstants.ACCESS_EXTERNAL_SCHEMA, + Constants.EXTERNAL_ACCESS_DEFAULT); + + final String name; + final String defaultValue; + + Property(String name, String value) { + this.name = name; + this.defaultValue = value; + } + + public boolean equalsName(String propertyName) { + return (propertyName == null) ? false : name.equals(propertyName); + } + + String defaultValue() { + return defaultValue; + } + } + + /** + * Values of the properties as defined in enum Properties + */ + private final String[] values; + /** + * States of the settings for each property in Properties above + */ + private State[] states = {State.DEFAULT, State.DEFAULT}; + + /** + * Default constructor. Establishes default values + */ + public XMLSecurityPropertyManager() { + values = new String[Property.values().length]; + for (Property property : Property.values()) { + values[property.ordinal()] = property.defaultValue(); + } + //read system properties or jaxp.properties + readSystemProperties(); + } + + /** + * Set the value for a specific property. + * + * @param property the property + * @param state the state of the property + * @param value the value of the property + */ + public void setValue(Property property, State state, String value) { + //only update if it shall override + if (state.compareTo(states[property.ordinal()]) >= 0) { + values[property.ordinal()] = value; + states[property.ordinal()] = state; + } + } + + /** + * Set the value of a property by its index + * @param index the index of the property + * @param state the state of the property + * @param value the value of the property + */ + public void setValue(int index, State state, String value) { + //only update if it shall override + if (state.compareTo(states[index]) >= 0) { + values[index] = value; + states[index] = state; + } + } + /** + * Return the value of the specified property + * + * @param property the property + * @return the value of the property + */ + public String getValue(Property property) { + return values[property.ordinal()]; + } + + /** + * Return the value of a property by its ordinal + * @param index the index of a property + * @return value of a property + */ + public String getValueByIndex(int index) { + return values[index]; + } + + /** + * Get the index by property name + * @param propertyName property name + * @return the index of the property if found; return -1 if not + */ + public int getIndex(String propertyName){ + for (Property property : Property.values()) { + if (property.equalsName(propertyName)) { + //internally, ordinal is used as index + return property.ordinal(); + } + } + return -1; + } + + /** + * Read from system properties, or those in jaxp.properties + */ + private void readSystemProperties() { + getSystemProperty(Property.ACCESS_EXTERNAL_DTD, + Constants.SP_ACCESS_EXTERNAL_DTD); + getSystemProperty(Property.ACCESS_EXTERNAL_SCHEMA, + Constants.SP_ACCESS_EXTERNAL_SCHEMA); + } + + /** + * Read from system properties, or those in jaxp.properties + * + * @param property the property + * @param systemProperty the name of the system property + */ + private void getSystemProperty(Property property, String systemProperty) { + try { + String value = SecuritySupport.getSystemProperty(systemProperty); + if (value != null) { + values[property.ordinal()] = value; + states[property.ordinal()] = State.SYSTEMPROPERTY; + return; + } + + value = SecuritySupport.readJAXPProperty(systemProperty); + if (value != null) { + values[property.ordinal()] = value; + states[property.ordinal()] = State.JAXPDOTPROPERTIES; + } + } catch (NumberFormatException e) { + //invalid setting ignored + } + } +} +