206 public static String sanitizePath(String uri) { 207 if (uri == null) { 208 return ""; 209 } 210 int i = uri.lastIndexOf("/"); 211 if (i > 0) { 212 return uri.substring(i+1, uri.length()); 213 } 214 return ""; 215 } 216 217 /** 218 * Check the protocol used in the systemId against allowed protocols 219 * 220 * @param systemId the Id of the URI 221 * @param allowedProtocols a list of allowed protocols separated by comma 222 * @param accessAny keyword to indicate allowing any protocol 223 * @return the name of the protocol if rejected, null otherwise 224 */ 225 public static String checkAccess(String systemId, String allowedProtocols, String accessAny) throws IOException { 226 if (systemId == null || allowedProtocols.equalsIgnoreCase(accessAny)) { 227 return null; 228 } 229 230 String protocol; 231 if (systemId.indexOf(":")==-1) { 232 protocol = "file"; 233 } else { 234 URL url = new URL(systemId); 235 protocol = url.getProtocol(); 236 if (protocol.equalsIgnoreCase("jar")) { 237 String path = url.getPath(); 238 protocol = path.substring(0, path.indexOf(":")); 239 } 240 } 241 242 if (isProtocolAllowed(protocol, allowedProtocols)) { 243 //access allowed 244 return null; 245 } else { 246 return protocol; 247 } 248 } 249 250 /** 251 * Check if the protocol is in the allowed list of protocols. The check 252 * is case-insensitive while ignoring whitespaces. 253 * 254 * @param protocol a protocol 255 * @param allowedProtocols a list of allowed protocols 256 * @return true if the protocol is in the list 257 */ 258 private static boolean isProtocolAllowed(String protocol, String allowedProtocols) { 259 String temp[] = allowedProtocols.split(","); 260 for (String t : temp) { 261 t = t.trim(); 262 if (t.equalsIgnoreCase(protocol)) { 263 return true; 264 } 265 } 266 return false; 267 } 268 269 /** 270 * Read from $java.home/lib/jaxp.properties for the specified property 271 * 272 * @param propertyId the Id of the property 273 * @return the value of the property 274 */ 275 public static String getDefaultAccessProperty(String sysPropertyId, String defaultVal) { 276 String accessExternal = SecuritySupport.getSystemProperty(sysPropertyId); 277 if (accessExternal == null) { 278 accessExternal = readJAXPProperty(sysPropertyId); 279 if (accessExternal == null) { 280 accessExternal = defaultVal; 281 } 282 } 283 return accessExternal; 284 } 285 286 /** 287 * Read from $java.home/lib/jaxp.properties for the specified property 288 * The program 289 * 290 * @param propertyId the Id of the property 291 * @return the value of the property 292 */ 293 static String readJAXPProperty(String propertyId) { 294 String value = null; 295 InputStream is = null; 296 try { 297 if (firstTime) { 298 synchronized (cacheProps) { 299 if (firstTime) { 300 String configFile = getSystemProperty("java.home") + File.separator + 301 "lib" + File.separator + "jaxp.properties"; 302 File f = new File(configFile); | 206 public static String sanitizePath(String uri) { 207 if (uri == null) { 208 return ""; 209 } 210 int i = uri.lastIndexOf("/"); 211 if (i > 0) { 212 return uri.substring(i+1, uri.length()); 213 } 214 return ""; 215 } 216 217 /** 218 * Check the protocol used in the systemId against allowed protocols 219 * 220 * @param systemId the Id of the URI 221 * @param allowedProtocols a list of allowed protocols separated by comma 222 * @param accessAny keyword to indicate allowing any protocol 223 * @return the name of the protocol if rejected, null otherwise 224 */ 225 public static String checkAccess(String systemId, String allowedProtocols, String accessAny) throws IOException { 226 if (systemId == null || (allowedProtocols != null && 227 allowedProtocols.equalsIgnoreCase(accessAny))) { 228 return null; 229 } 230 231 String protocol; 232 if (systemId.indexOf(":")==-1) { 233 protocol = "file"; 234 } else { 235 URL url = new URL(systemId); 236 protocol = url.getProtocol(); 237 if (protocol.equalsIgnoreCase("jar")) { 238 String path = url.getPath(); 239 protocol = path.substring(0, path.indexOf(":")); 240 } 241 } 242 243 if (isProtocolAllowed(protocol, allowedProtocols)) { 244 //access allowed 245 return null; 246 } else { 247 return protocol; 248 } 249 } 250 251 /** 252 * Check if the protocol is in the allowed list of protocols. The check 253 * is case-insensitive while ignoring whitespaces. 254 * 255 * @param protocol a protocol 256 * @param allowedProtocols a list of allowed protocols 257 * @return true if the protocol is in the list 258 */ 259 private static boolean isProtocolAllowed(String protocol, String allowedProtocols) { 260 if (allowedProtocols == null) { 261 return false; 262 } 263 String temp[] = allowedProtocols.split(","); 264 for (String t : temp) { 265 t = t.trim(); 266 if (t.equalsIgnoreCase(protocol)) { 267 return true; 268 } 269 } 270 return false; 271 } 272 273 /** 274 * Read JAXP system property in this order: system property, 275 * $java.home/lib/jaxp.properties if the system property is not specified 276 * 277 * @param propertyId the Id of the property 278 * @return the value of the property 279 */ 280 public static String getJAXPSystemProperty(String sysPropertyId) { 281 String accessExternal = getSystemProperty(sysPropertyId); 282 if (accessExternal == null) { 283 accessExternal = readJAXPProperty(sysPropertyId); 284 } 285 return accessExternal; 286 } 287 288 /** 289 * Read from $java.home/lib/jaxp.properties for the specified property 290 * The program 291 * 292 * @param propertyId the Id of the property 293 * @return the value of the property 294 */ 295 static String readJAXPProperty(String propertyId) { 296 String value = null; 297 InputStream is = null; 298 try { 299 if (firstTime) { 300 synchronized (cacheProps) { 301 if (firstTime) { 302 String configFile = getSystemProperty("java.home") + File.separator + 303 "lib" + File.separator + "jaxp.properties"; 304 File f = new File(configFile); |