95 96 /** Property identifier: Security property manager. */ 97 private static final String XML_SECURITY_PROPERTY_MANAGER = 98 Constants.XML_SECURITY_PROPERTY_MANAGER; 99 100 private final JAXPSAXParser xmlReader; 101 private String schemaLanguage = null; // null means DTD 102 private final Schema grammar; 103 104 private final XMLComponent fSchemaValidator; 105 private final XMLComponentManager fSchemaValidatorComponentManager; 106 private final ValidationManager fSchemaValidationManager; 107 private final UnparsedEntityHandler fUnparsedEntityHandler; 108 109 /** Initial ErrorHandler */ 110 private final ErrorHandler fInitErrorHandler; 111 112 /** Initial EntityResolver */ 113 private final EntityResolver fInitEntityResolver; 114 115 private XMLSecurityPropertyManager fSecurityPropertyMgr; 116 117 /** 118 * Create a SAX parser with the associated features 119 * @param features Hashtable of SAX features, may be null 120 */ 121 SAXParserImpl(SAXParserFactoryImpl spf, Hashtable features) 122 throws SAXException { 123 this(spf, features, false); 124 } 125 126 /** 127 * Create a SAX parser with the associated features 128 * @param features Hashtable of SAX features, may be null 129 */ 130 SAXParserImpl(SAXParserFactoryImpl spf, Hashtable features, boolean secureProcessing) 131 throws SAXException 132 { 133 // Instantiate a SAXParser directly and not through SAX so that we use the right ClassLoader 134 xmlReader = new JAXPSAXParser(this); 135 136 // JAXP "namespaceAware" == SAX Namespaces feature 137 // Note: there is a compatibility problem here with default values: 138 // JAXP default is false while SAX 2 default is true! 139 xmlReader.setFeature0(NAMESPACES_FEATURE, spf.isNamespaceAware()); 140 141 // SAX "namespaces" and "namespace-prefixes" features should not 142 // both be false. We make them opposite for backward compatibility 143 // since JAXP 1.0 apps may want to receive xmlns* attributes. 144 xmlReader.setFeature0(NAMESPACE_PREFIXES_FEATURE, !spf.isNamespaceAware()); 145 146 // Avoid setting the XInclude processing feature if the value is false. 147 // This will keep the configuration from throwing an exception if it 148 // does not support XInclude. 149 if (spf.isXIncludeAware()) { 150 xmlReader.setFeature0(XINCLUDE_FEATURE, true); 151 } 152 153 fSecurityPropertyMgr = new XMLSecurityPropertyManager(); 154 xmlReader.setProperty0(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); 155 156 // If the secure processing feature is on set a security manager. 157 if (secureProcessing) { 158 xmlReader.setProperty0(SECURITY_MANAGER, new SecurityManager()); 159 /** 160 * By default, secure processing is set, no external access is allowed. 161 * However, we need to check if it is actively set on the factory since we 162 * allow the use of the System Property or jaxp.properties to override 163 * the default value 164 */ 165 if (features != null) { 166 Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING); 167 if (temp != null) { 168 boolean value = ((Boolean) temp).booleanValue(); 169 if (value && Constants.IS_JDK8_OR_ABOVE) { 170 fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD, 171 XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); 172 fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA, 173 XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); 380 } 381 382 public AttributePSVI getAttributePSVI(int index) { 383 return ((PSVIProvider)xmlReader).getAttributePSVI(index); 384 } 385 386 public AttributePSVI getAttributePSVIByName(String uri, String localname) { 387 return ((PSVIProvider)xmlReader).getAttributePSVIByName(uri, localname); 388 } 389 390 /** 391 * Extension of SAXParser. This class tracks changes to 392 * features and properties to allow the parser to be reset to 393 * its initial state. 394 */ 395 public static class JAXPSAXParser extends com.sun.org.apache.xerces.internal.parsers.SAXParser { 396 397 private final HashMap fInitFeatures = new HashMap(); 398 private final HashMap fInitProperties = new HashMap(); 399 private final SAXParserImpl fSAXParser; 400 401 public JAXPSAXParser() { 402 this(null); 403 } 404 405 JAXPSAXParser(SAXParserImpl saxParser) { 406 super(); 407 fSAXParser = saxParser; 408 } 409 410 /** 411 * Override SAXParser's setFeature method to track the initial state 412 * of features. This keeps us from affecting the performance of the 413 * SAXParser when it is created with XMLReaderFactory. 414 */ 415 public synchronized void setFeature(String name, boolean value) 416 throws SAXNotRecognizedException, SAXNotSupportedException { 417 if (name == null) { 418 // TODO: Add localized error message. 419 throw new NullPointerException(); 420 } 421 if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) { 422 try { 423 setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null); 424 } 425 catch (SAXNotRecognizedException exc) { 426 // If the property is not supported 427 // re-throw the exception if the value is true. 428 if (value) { 525 if ( val != null && W3C_XML_SCHEMA.equals(val) ) { 526 if (!fInitProperties.containsKey(JAXP_SCHEMA_SOURCE)) { 527 fInitProperties.put(JAXP_SCHEMA_SOURCE, super.getProperty(JAXP_SCHEMA_SOURCE)); 528 } 529 super.setProperty(name, value); 530 } 531 else { 532 throw new SAXNotSupportedException( 533 SAXMessageFormatter.formatMessage(fConfiguration.getLocale(), 534 "jaxp-order-not-supported", 535 new Object[] {JAXP_SCHEMA_LANGUAGE, JAXP_SCHEMA_SOURCE})); 536 } 537 return; 538 } 539 } 540 /** Forward property to the schema validator if there is one. **/ 541 if (fSAXParser != null && fSAXParser.fSchemaValidator != null) { 542 setSchemaValidatorProperty(name, value); 543 } 544 /** Check to see if the property is managed by the property manager **/ 545 int index = fSAXParser.fSecurityPropertyMgr.getIndex(name); 546 if (index > -1) { 547 fSAXParser.fSecurityPropertyMgr.setValue(index, 548 XMLSecurityPropertyManager.State.APIPROPERTY, (String)value); 549 } else { 550 if (!fInitProperties.containsKey(name)) { 551 fInitProperties.put(name, super.getProperty(name)); 552 } 553 super.setProperty(name, value); 554 } 555 } 556 557 public synchronized Object getProperty(String name) 558 throws SAXNotRecognizedException, SAXNotSupportedException { 559 if (name == null) { 560 // TODO: Add localized error message. 561 throw new NullPointerException(); 562 } 563 if (fSAXParser != null && JAXP_SCHEMA_LANGUAGE.equals(name)) { 564 // JAXP 1.2 support 565 return fSAXParser.schemaLanguage; 566 } 567 int index = fSAXParser.fSecurityPropertyMgr.getIndex(name); 568 if (index > -1) { 569 return fSAXParser.fSecurityPropertyMgr.getValueByIndex(index); 570 } 571 572 return super.getProperty(name); 573 } 574 575 synchronized void restoreInitState() 576 throws SAXNotRecognizedException, SAXNotSupportedException { 577 Iterator iter; 578 if (!fInitFeatures.isEmpty()) { 579 iter = fInitFeatures.entrySet().iterator(); 580 while (iter.hasNext()) { 581 Map.Entry entry = (Map.Entry) iter.next(); 582 String name = (String) entry.getKey(); 583 boolean value = ((Boolean) entry.getValue()).booleanValue(); 584 super.setFeature(name, value); 585 } 586 fInitFeatures.clear(); 587 } 588 if (!fInitProperties.isEmpty()) { 589 iter = fInitProperties.entrySet().iterator(); | 95 96 /** Property identifier: Security property manager. */ 97 private static final String XML_SECURITY_PROPERTY_MANAGER = 98 Constants.XML_SECURITY_PROPERTY_MANAGER; 99 100 private final JAXPSAXParser xmlReader; 101 private String schemaLanguage = null; // null means DTD 102 private final Schema grammar; 103 104 private final XMLComponent fSchemaValidator; 105 private final XMLComponentManager fSchemaValidatorComponentManager; 106 private final ValidationManager fSchemaValidationManager; 107 private final UnparsedEntityHandler fUnparsedEntityHandler; 108 109 /** Initial ErrorHandler */ 110 private final ErrorHandler fInitErrorHandler; 111 112 /** Initial EntityResolver */ 113 private final EntityResolver fInitEntityResolver; 114 115 private final XMLSecurityPropertyManager fSecurityPropertyMgr; 116 117 /** 118 * Create a SAX parser with the associated features 119 * @param features Hashtable of SAX features, may be null 120 */ 121 SAXParserImpl(SAXParserFactoryImpl spf, Hashtable features) 122 throws SAXException { 123 this(spf, features, false); 124 } 125 126 /** 127 * Create a SAX parser with the associated features 128 * @param features Hashtable of SAX features, may be null 129 */ 130 SAXParserImpl(SAXParserFactoryImpl spf, Hashtable features, boolean secureProcessing) 131 throws SAXException 132 { 133 fSecurityPropertyMgr = new XMLSecurityPropertyManager(); 134 135 // Instantiate a SAXParser directly and not through SAX so that we use the right ClassLoader 136 xmlReader = new JAXPSAXParser(this, fSecurityPropertyMgr); 137 138 // JAXP "namespaceAware" == SAX Namespaces feature 139 // Note: there is a compatibility problem here with default values: 140 // JAXP default is false while SAX 2 default is true! 141 xmlReader.setFeature0(NAMESPACES_FEATURE, spf.isNamespaceAware()); 142 143 // SAX "namespaces" and "namespace-prefixes" features should not 144 // both be false. We make them opposite for backward compatibility 145 // since JAXP 1.0 apps may want to receive xmlns* attributes. 146 xmlReader.setFeature0(NAMESPACE_PREFIXES_FEATURE, !spf.isNamespaceAware()); 147 148 // Avoid setting the XInclude processing feature if the value is false. 149 // This will keep the configuration from throwing an exception if it 150 // does not support XInclude. 151 if (spf.isXIncludeAware()) { 152 xmlReader.setFeature0(XINCLUDE_FEATURE, true); 153 } 154 155 xmlReader.setProperty0(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); 156 157 // If the secure processing feature is on set a security manager. 158 if (secureProcessing) { 159 xmlReader.setProperty0(SECURITY_MANAGER, new SecurityManager()); 160 /** 161 * By default, secure processing is set, no external access is allowed. 162 * However, we need to check if it is actively set on the factory since we 163 * allow the use of the System Property or jaxp.properties to override 164 * the default value 165 */ 166 if (features != null) { 167 Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING); 168 if (temp != null) { 169 boolean value = ((Boolean) temp).booleanValue(); 170 if (value && Constants.IS_JDK8_OR_ABOVE) { 171 fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD, 172 XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); 173 fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA, 174 XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); 381 } 382 383 public AttributePSVI getAttributePSVI(int index) { 384 return ((PSVIProvider)xmlReader).getAttributePSVI(index); 385 } 386 387 public AttributePSVI getAttributePSVIByName(String uri, String localname) { 388 return ((PSVIProvider)xmlReader).getAttributePSVIByName(uri, localname); 389 } 390 391 /** 392 * Extension of SAXParser. This class tracks changes to 393 * features and properties to allow the parser to be reset to 394 * its initial state. 395 */ 396 public static class JAXPSAXParser extends com.sun.org.apache.xerces.internal.parsers.SAXParser { 397 398 private final HashMap fInitFeatures = new HashMap(); 399 private final HashMap fInitProperties = new HashMap(); 400 private final SAXParserImpl fSAXParser; 401 private XMLSecurityPropertyManager fSecurityPropertyMgr; 402 403 404 public JAXPSAXParser() { 405 this(null, null); 406 } 407 408 JAXPSAXParser(SAXParserImpl saxParser, XMLSecurityPropertyManager spm) { 409 super(); 410 fSAXParser = saxParser; 411 fSecurityPropertyMgr = spm; 412 413 /** 414 * This class may be used directly. So initialize the security manager if 415 * it is null. 416 */ 417 if (fSecurityPropertyMgr == null) { 418 fSecurityPropertyMgr = new XMLSecurityPropertyManager(); 419 try { 420 super.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); 421 } catch (SAXException e) { 422 throw new UnsupportedOperationException( 423 SAXMessageFormatter.formatMessage(fConfiguration.getLocale(), 424 "property-not-recognized", new Object [] {SECURITY_MANAGER}), e); 425 } 426 } 427 } 428 429 /** 430 * Override SAXParser's setFeature method to track the initial state 431 * of features. This keeps us from affecting the performance of the 432 * SAXParser when it is created with XMLReaderFactory. 433 */ 434 public synchronized void setFeature(String name, boolean value) 435 throws SAXNotRecognizedException, SAXNotSupportedException { 436 if (name == null) { 437 // TODO: Add localized error message. 438 throw new NullPointerException(); 439 } 440 if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) { 441 try { 442 setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null); 443 } 444 catch (SAXNotRecognizedException exc) { 445 // If the property is not supported 446 // re-throw the exception if the value is true. 447 if (value) { 544 if ( val != null && W3C_XML_SCHEMA.equals(val) ) { 545 if (!fInitProperties.containsKey(JAXP_SCHEMA_SOURCE)) { 546 fInitProperties.put(JAXP_SCHEMA_SOURCE, super.getProperty(JAXP_SCHEMA_SOURCE)); 547 } 548 super.setProperty(name, value); 549 } 550 else { 551 throw new SAXNotSupportedException( 552 SAXMessageFormatter.formatMessage(fConfiguration.getLocale(), 553 "jaxp-order-not-supported", 554 new Object[] {JAXP_SCHEMA_LANGUAGE, JAXP_SCHEMA_SOURCE})); 555 } 556 return; 557 } 558 } 559 /** Forward property to the schema validator if there is one. **/ 560 if (fSAXParser != null && fSAXParser.fSchemaValidator != null) { 561 setSchemaValidatorProperty(name, value); 562 } 563 /** Check to see if the property is managed by the property manager **/ 564 int index = (fSecurityPropertyMgr != null) ? fSecurityPropertyMgr.getIndex(name) : -1; 565 if (index > -1) { 566 fSecurityPropertyMgr.setValue(index, 567 XMLSecurityPropertyManager.State.APIPROPERTY, (String)value); 568 } else { 569 if (!fInitProperties.containsKey(name)) { 570 fInitProperties.put(name, super.getProperty(name)); 571 } 572 super.setProperty(name, value); 573 } 574 } 575 576 public synchronized Object getProperty(String name) 577 throws SAXNotRecognizedException, SAXNotSupportedException { 578 if (name == null) { 579 // TODO: Add localized error message. 580 throw new NullPointerException(); 581 } 582 if (fSAXParser != null && JAXP_SCHEMA_LANGUAGE.equals(name)) { 583 // JAXP 1.2 support 584 return fSAXParser.schemaLanguage; 585 } 586 int index = (fSecurityPropertyMgr != null) ? fSecurityPropertyMgr.getIndex(name) : -1; 587 if (index > -1) { 588 return fSecurityPropertyMgr.getValueByIndex(index); 589 } 590 591 return super.getProperty(name); 592 } 593 594 synchronized void restoreInitState() 595 throws SAXNotRecognizedException, SAXNotSupportedException { 596 Iterator iter; 597 if (!fInitFeatures.isEmpty()) { 598 iter = fInitFeatures.entrySet().iterator(); 599 while (iter.hasNext()) { 600 Map.Entry entry = (Map.Entry) iter.next(); 601 String name = (String) entry.getKey(); 602 boolean value = ((Boolean) entry.getValue()).booleanValue(); 603 super.setFeature(name, value); 604 } 605 fInitFeatures.clear(); 606 } 607 if (!fInitProperties.isEmpty()) { 608 iter = fInitProperties.entrySet().iterator(); |