jaxws Cdiff src/share/jaxws_classes/com/sun/xml/internal/xsom/parser/JAXPParser.java

src/share/jaxws_classes/com/sun/xml/internal/xsom/parser/JAXPParser.java


*** 1,7 ****
  /*
!  * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
   * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   *
   * This code is free software; you can redistribute it and/or modify it
   * under the terms of the GNU General Public License version 2 only, as
   * published by the Free Software Foundation.  Oracle designates this
--- 1,7 ----
  /*
!  * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
   * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   *
   * This code is free software; you can redistribute it and/or modify it
   * under the terms of the GNU General Public License version 2 only, as
   * published by the Free Software Foundation.  Oracle designates this
*** 25,46 ****
  
  package com.sun.xml.internal.xsom.parser;
  
  import java.io.IOException;
  import java.net.URL;
  
  import javax.xml.parsers.ParserConfigurationException;
  import javax.xml.parsers.SAXParserFactory;
  
! import org.xml.sax.ContentHandler;
! import org.xml.sax.EntityResolver;
! import org.xml.sax.ErrorHandler;
! import org.xml.sax.InputSource;
! import org.xml.sax.Locator;
! import org.xml.sax.SAXException;
! import org.xml.sax.SAXParseException;
! import org.xml.sax.XMLReader;
  import org.xml.sax.helpers.XMLFilterImpl;
  
  import com.sun.xml.internal.xsom.impl.parser.Messages;
  
  /**
--- 25,42 ----
  
  package com.sun.xml.internal.xsom.parser;
  
  import java.io.IOException;
  import java.net.URL;
+ import java.util.logging.Level;
+ import java.util.logging.Logger;
  
  import javax.xml.parsers.ParserConfigurationException;
+ import javax.xml.parsers.SAXParser;
  import javax.xml.parsers.SAXParserFactory;
  
! import org.xml.sax.*;
  import org.xml.sax.helpers.XMLFilterImpl;
  
  import com.sun.xml.internal.xsom.impl.parser.Messages;
  
  /**
*** 49,77 ****
   * @author
   *     Kohsuke Kawaguchi (kohsuke.kawaguchi@sun.com)
   */
  public class JAXPParser implements XMLParser {
  
      private final SAXParserFactory factory;
  
      public JAXPParser( SAXParserFactory factory ) {
          factory.setNamespaceAware(true);    // just in case
          this.factory = factory;
      }
  
      public JAXPParser() {
          this( SAXParserFactory.newInstance());
      }
  
      public void parse( InputSource source, ContentHandler handler,
          ErrorHandler errorHandler, EntityResolver entityResolver )
  
          throws SAXException, IOException {
  
          try {
!             XMLReader reader = factory.newSAXParser().getXMLReader();
!             reader = new XMLReaderEx(reader);
  
              reader.setContentHandler(handler);
              if(errorHandler!=null)
                  reader.setErrorHandler(errorHandler);
              if(entityResolver!=null)
--- 45,83 ----
   * @author
   *     Kohsuke Kawaguchi (kohsuke.kawaguchi@sun.com)
   */
  public class JAXPParser implements XMLParser {
  
+     // not in older JDK, so must be duplicated here, otherwise javax.xml.XMLConstants should be used
+     private static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema";
+ 
+     private static final Logger LOGGER = Logger.getLogger(JAXPParser.class.getName());
+ 
      private final SAXParserFactory factory;
  
      public JAXPParser( SAXParserFactory factory ) {
          factory.setNamespaceAware(true);    // just in case
          this.factory = factory;
      }
  
+     /**
+      * @deprecated Unsafe, use JAXPParser(factory) instead with
+      * security features initialized by setting
+      * XMLConstants.FEATURE_SECURE_PROCESSING feature.
+      */
      public JAXPParser() {
          this( SAXParserFactory.newInstance());
      }
  
      public void parse( InputSource source, ContentHandler handler,
          ErrorHandler errorHandler, EntityResolver entityResolver )
  
          throws SAXException, IOException {
  
          try {
!             SAXParser saxParser = allowFileAccess(factory.newSAXParser(), false);
!             XMLReader reader = new XMLReaderEx(saxParser.getXMLReader());
  
              reader.setContentHandler(handler);
              if(errorHandler!=null)
                  reader.setErrorHandler(errorHandler);
              if(entityResolver!=null)
*** 83,92 ****
--- 89,116 ----
              errorHandler.fatalError(spe);
              throw spe;
          }
      }
  
+     private static SAXParser allowFileAccess(SAXParser saxParser, boolean disableSecureProcessing) throws SAXException {
+ 
+         // if feature secure processing enabled, nothing to do, file is allowed,
+         // or user is able to control access by standard JAXP mechanisms
+         if (disableSecureProcessing) {
+             return saxParser;
+         }
+ 
+         try {
+             saxParser.setProperty(ACCESS_EXTERNAL_SCHEMA, "file");
+             LOGGER.log(Level.FINE, Messages.format(Messages.JAXP_SUPPORTED_PROPERTY, ACCESS_EXTERNAL_SCHEMA));
+         } catch (SAXException ignored) {
+             // nothing to do; support depends on version JDK or SAX implementation
+             LOGGER.log(Level.CONFIG, Messages.format(Messages.JAXP_UNSUPPORTED_PROPERTY, ACCESS_EXTERNAL_SCHEMA), ignored);
+         }
+         return saxParser;
+     }
+ 
      /**
       * XMLReader with improved error message for entity resolution failure.
       *
       * TODO: this class is completely stand-alone, so it shouldn't be
       * an inner class.