# HG changeset patch # User xuelei # Date 1382588674 25200 # Node ID ef2352bf3dfe5dbdc2d6723e6cddc9822bf45700 # Parent d92379723173d679b2fac54962d9ecf8ae96cfcd 8026417: Enhance XML canonicalization Summary: Copy before use mutable byte arrays. Also reviewed by Alexander Fomin Reviewed-by: mullan, hawtin, ahgross diff -r d92379723173 -r ef2352bf3dfe src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java --- a/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java Sat Dec 07 16:15:08 2013 -0800 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java Wed Oct 23 21:24:34 2013 -0700 @@ -64,6 +64,8 @@ protected static final AttrCompare COMPARE = new AttrCompare(); + // Make sure you clone the following mutable arrays before passing to + // potentially untrusted objects such as OutputStreams. private static final byte[] END_PI = {'?','>'}; private static final byte[] BEGIN_PI = {'<','?'}; private static final byte[] END_COMM = {'-','-','>'}; @@ -76,7 +78,7 @@ private static final byte[] LT = {'&','l','t',';'}; private static final byte[] END_TAG = {'<','/'}; private static final byte[] AMP = {'&','a','m','p',';'}; - private static final byte[] equalsStr = {'=','\"'}; + private static final byte[] EQUALS_STR = {'=','\"'}; protected static final int NODE_BEFORE_DOCUMENT_ELEMENT = -1; protected static final int NODE_NOT_BEFORE_OR_AFTER_DOCUMENT_ELEMENT = 0; @@ -303,7 +305,7 @@ writer.write('>'); sibling = currentNode.getFirstChild(); if (sibling == null) { - writer.write(END_TAG); + writer.write(END_TAG.clone()); UtfHelpper.writeStringToUtf8(name, writer); writer.write('>'); //We finished with this level, pop to the previous definitions. @@ -321,7 +323,7 @@ break; } while (sibling == null && parentNode != null) { - writer.write(END_TAG); + writer.write(END_TAG.clone()); UtfHelpper.writeByte(((Element)parentNode).getTagName(), writer, cache); writer.write('>'); //We finished with this level, pop to the previous definitions. @@ -481,7 +483,7 @@ if (sibling == null) { if (currentNodeIsVisible) { - writer.write(END_TAG); + writer.write(END_TAG.clone()); UtfHelpper.writeByte(name, writer, cache); writer.write('>'); //We finished with this level, pop to the previous definitions. @@ -503,7 +505,7 @@ } while (sibling == null && parentNode != null) { if (isVisible(parentNode)) { - writer.write(END_TAG); + writer.write(END_TAG.clone()); UtfHelpper.writeByte(((Element)parentNode).getTagName(), writer, cache); writer.write('>'); //We finished with this level, pop to the previous definitions. @@ -690,7 +692,7 @@ ) throws IOException { writer.write(' '); UtfHelpper.writeByte(name, writer, cache); - writer.write(equalsStr); + writer.write(EQUALS_STR.clone()); byte[] toWrite; final int length = value.length(); int i = 0; @@ -700,27 +702,27 @@ switch (c) { case '&' : - toWrite = AMP; + toWrite = AMP.clone(); break; case '<' : - toWrite = LT; + toWrite = LT.clone(); break; case '"' : - toWrite = QUOT; + toWrite = QUOT.clone(); break; case 0x09 : // '\t' - toWrite = X9; + toWrite = X9.clone(); break; case 0x0A : // '\n' - toWrite = XA; + toWrite = XA.clone(); break; case 0x0D : // '\r' - toWrite = XD; + toWrite = XD.clone(); break; default : @@ -750,7 +752,7 @@ if (position == NODE_AFTER_DOCUMENT_ELEMENT) { writer.write('\n'); } - writer.write(BEGIN_PI); + writer.write(BEGIN_PI.clone()); final String target = currentPI.getTarget(); int length = target.length(); @@ -758,7 +760,7 @@ for (int i = 0; i < length; i++) { char c = target.charAt(i); if (c == 0x0D) { - writer.write(XD); + writer.write(XD.clone()); } else { if (c < 0x80) { writer.write(c); @@ -778,14 +780,14 @@ for (int i = 0; i < length; i++) { char c = data.charAt(i); if (c == 0x0D) { - writer.write(XD); + writer.write(XD.clone()); } else { UtfHelpper.writeCharToUtf8(c, writer); } } } - writer.write(END_PI); + writer.write(END_PI.clone()); if (position == NODE_BEFORE_DOCUMENT_ELEMENT) { writer.write('\n'); } @@ -804,7 +806,7 @@ if (position == NODE_AFTER_DOCUMENT_ELEMENT) { writer.write('\n'); } - writer.write(BEGIN_COMM); + writer.write(BEGIN_COMM.clone()); final String data = currentComment.getData(); final int length = data.length(); @@ -812,7 +814,7 @@ for (int i = 0; i < length; i++) { char c = data.charAt(i); if (c == 0x0D) { - writer.write(XD); + writer.write(XD.clone()); } else { if (c < 0x80) { writer.write(c); @@ -822,7 +824,7 @@ } } - writer.write(END_COMM); + writer.write(END_COMM.clone()); if (position == NODE_BEFORE_DOCUMENT_ELEMENT) { writer.write('\n'); } @@ -846,19 +848,19 @@ switch (c) { case '&' : - toWrite = AMP; + toWrite = AMP.clone(); break; case '<' : - toWrite = LT; + toWrite = LT.clone(); break; case '>' : - toWrite = GT; + toWrite = GT.clone(); break; case 0xD : - toWrite = XD; + toWrite = XD.clone(); break; default :