# HG changeset patch # User chegar # Date 1381517384 -3600 # Node ID 2b77e12ff69d02afa15a3ad273c2c8455e4c031c # Parent 46ccc5fbc523f68103b6f24917cc9a059f8c0595# Parent cc3b6436604846c1c68a1745256d34a82089d2f8 Merge diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xalan/internal/XalanConstants.java --- a/src/com/sun/org/apache/xalan/internal/XalanConstants.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xalan/internal/XalanConstants.java Fri Oct 11 19:49:44 2013 +0100 @@ -39,6 +39,116 @@ // // Constants // + //Xerces security manager + public static final String SECURITY_MANAGER = + "http://apache.org/xml/properties/security-manager"; + + // + // Implementation limits: API properties + // + /** Oracle JAXP property prefix ("http://www.oracle.com/xml/jaxp/properties/"). */ + public static final String ORACLE_JAXP_PROPERTY_PREFIX = + "http://www.oracle.com/xml/jaxp/properties/"; + /** + * JDK entity expansion limit; Note that the existing system property + * "entityExpansionLimit" with no prefix is still observed + */ + public static final String JDK_ENTITY_EXPANSION_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "entityExpansionLimit"; + + /** + * JDK element attribute limit; Note that the existing system property + * "elementAttributeLimit" with no prefix is still observed + */ + public static final String JDK_ELEMENT_ATTRIBUTE_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "elementAttributeLimit"; + + /** + * JDK maxOccur limit; Note that the existing system property + * "maxOccurLimit" with no prefix is still observed + */ + public static final String JDK_MAX_OCCUR_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "maxOccurLimit"; + + /** + * JDK total entity size limit + */ + public static final String JDK_TOTAL_ENTITY_SIZE_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "totalEntitySizeLimit"; + + /** + * JDK maximum general entity size limit + */ + public static final String JDK_GENEAL_ENTITY_SIZE_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "maxGeneralEntitySizeLimit"; + /** + * JDK maximum parameter entity size limit + */ + public static final String JDK_PARAMETER_ENTITY_SIZE_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "maxParameterEntitySizeLimit"; + /** + * JDK maximum XML name limit + */ + public static final String JDK_XML_NAME_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "maxXMLNameLimit"; + /** + * JDK property indicating whether the parser shall print out entity + * count information + * Value: a string "yes" means print, "no" or any other string means not. + */ + public static final String JDK_ENTITY_COUNT_INFO = + ORACLE_JAXP_PROPERTY_PREFIX + "getEntityCountInfo"; + + // + // Implementation limits: corresponding System Properties of the above + // API properties + // + /** + * JDK entity expansion limit; Note that the existing system property + * "entityExpansionLimit" with no prefix is still observed + */ + public static final String SP_ENTITY_EXPANSION_LIMIT = "jdk.xml.entityExpansionLimit"; + + /** + * JDK element attribute limit; Note that the existing system property + * "elementAttributeLimit" with no prefix is still observed + */ + public static final String SP_ELEMENT_ATTRIBUTE_LIMIT = "jdk.xml.elementAttributeLimit"; + + /** + * JDK maxOccur limit; Note that the existing system property + * "maxOccurLimit" with no prefix is still observed + */ + public static final String SP_MAX_OCCUR_LIMIT = "jdk.xml.maxOccurLimit"; + + /** + * JDK total entity size limit + */ + public static final String SP_TOTAL_ENTITY_SIZE_LIMIT = "jdk.xml.totalEntitySizeLimit"; + + /** + * JDK maximum general entity size limit + */ + public static final String SP_GENEAL_ENTITY_SIZE_LIMIT = "jdk.xml.maxGeneralEntitySizeLimit"; + /** + * JDK maximum parameter entity size limit + */ + public static final String SP_PARAMETER_ENTITY_SIZE_LIMIT = "jdk.xml.maxParameterEntitySizeLimit"; + /** + * JDK maximum XML name limit + */ + public static final String SP_XML_NAME_LIMIT = "jdk.xml.maxXMLNameLimit"; + + //legacy System Properties + public final static String ENTITY_EXPANSION_LIMIT = "entityExpansionLimit"; + public static final String ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ; + public final static String MAX_OCCUR_LIMIT = "maxOccurLimit"; + + /** + * A string "yes" that can be used for properties such as getEntityCountInfo + */ + public static final String JDK_YES = "yes"; + // Oracle Feature: /** *

Use Service Mechanism

@@ -51,21 +161,16 @@ *
  • * {@code false} instruct an object to skip service mechanism and * use the default implementation for that service. - *
    • - * - */ - + * + * + */ public static final String ORACLE_FEATURE_SERVICE_MECHANISM = "http://www.oracle.com/feature/use-service-mechanism"; - /** Oracle JAXP property prefix ("http://www.oracle.com/xml/jaxp/properties/"). */ - public static final String ORACLE_JAXP_PROPERTY_PREFIX = - "http://www.oracle.com/xml/jaxp/properties/"; //System Properties corresponding to ACCESS_EXTERNAL_* properties public static final String SP_ACCESS_EXTERNAL_STYLESHEET = "javax.xml.accessExternalStylesheet"; public static final String SP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD"; - //all access keyword public static final String ACCESS_EXTERNAL_ALL = "all"; diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xalan/internal/utils/XMLSecurityManager.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityManager.java Fri Oct 11 19:49:44 2013 +0100 @@ -0,0 +1,449 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. + * + * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved. + * + * The contents of this file are subject to the terms of either the GNU + * General Public License Version 2 only ("GPL") or the Common Development + * and Distribution License("CDDL") (collectively, the "License"). You + * may not use this file except in compliance with the License. You can + * obtain a copy of the License at + * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html + * or packager/legal/LICENSE.txt. See the License for the specific + * language governing permissions and limitations under the License. + * + * When distributing the software, include this License Header Notice in each + * file and include the License file at packager/legal/LICENSE.txt. + * + * GPL Classpath Exception: + * Oracle designates this particular file as subject to the "Classpath" + * exception as provided by Oracle in the GPL Version 2 section of the License + * file that accompanied this code. + * + * Modifications: + * If applicable, add the following below the License Header, with the fields + * enclosed by brackets [] replaced by your own identifying information: + * "Portions Copyright [year] [name of copyright owner]" + * + * Contributor(s): + * If you wish your version of this file to be governed by only the CDDL or + * only the GPL Version 2, indicate your decision by adding "[Contributor] + * elects to include this software in this distribution under the [CDDL or GPL + * Version 2] license." If you don't indicate a single choice of license, a + * recipient has the option to distribute your version of this file under + * either the CDDL, the GPL Version 2 or to extend the choice of license to + * its licensees as provided above. However, if you add GPL Version 2 code + * and therefore, elected the GPL Version 2 license, then the option applies + * only if the new code is made subject to such option by the copyright + * holder. + */ +package com.sun.org.apache.xalan.internal.utils; + +import com.sun.org.apache.xalan.internal.XalanConstants; + + +/** + * This class is not the same as that in Xerces. It is used to manage the + * state of corresponding Xerces properties and pass the values over to + * the Xerces Security Manager. + * + * @author Joe Wang Oracle Corp. + * + */ +public final class XMLSecurityManager { + + /** + * States of the settings of a property, in the order: default value, value + * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system + * properties, and jaxp api properties + */ + public static enum State { + //this order reflects the overriding order + + DEFAULT("default"), FSP("FEATURE_SECURE_PROCESSING"), + JAXPDOTPROPERTIES("jaxp.properties"), SYSTEMPROPERTY("system property"), + APIPROPERTY("property"); + + final String literal; + State(String literal) { + this.literal = literal; + } + + String literal() { + return literal; + } + } + + /** + * Limits managed by the security manager + */ + public static enum Limit { + + ENTITY_EXPANSION_LIMIT(XalanConstants.JDK_ENTITY_EXPANSION_LIMIT, + XalanConstants.SP_ENTITY_EXPANSION_LIMIT, 0, 64000), + MAX_OCCUR_NODE_LIMIT(XalanConstants.JDK_MAX_OCCUR_LIMIT, + XalanConstants.SP_MAX_OCCUR_LIMIT, 0, 5000), + ELEMENT_ATTRIBUTE_LIMIT(XalanConstants.JDK_ELEMENT_ATTRIBUTE_LIMIT, + XalanConstants.SP_ELEMENT_ATTRIBUTE_LIMIT, 0, 10000), + TOTAL_ENTITY_SIZE_LIMIT(XalanConstants.JDK_TOTAL_ENTITY_SIZE_LIMIT, + XalanConstants.SP_TOTAL_ENTITY_SIZE_LIMIT, 0, 50000000), + GENEAL_ENTITY_SIZE_LIMIT(XalanConstants.JDK_GENEAL_ENTITY_SIZE_LIMIT, + XalanConstants.SP_GENEAL_ENTITY_SIZE_LIMIT, 0, 0), + PARAMETER_ENTITY_SIZE_LIMIT(XalanConstants.JDK_PARAMETER_ENTITY_SIZE_LIMIT, + XalanConstants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000); + + final String apiProperty; + final String systemProperty; + final int defaultValue; + final int secureValue; + + Limit(String apiProperty, String systemProperty, int value, int secureValue) { + this.apiProperty = apiProperty; + this.systemProperty = systemProperty; + this.defaultValue = value; + this.secureValue = secureValue; + } + + public boolean equalsAPIPropertyName(String propertyName) { + return (propertyName == null) ? false : apiProperty.equals(propertyName); + } + + public boolean equalsSystemPropertyName(String propertyName) { + return (propertyName == null) ? false : systemProperty.equals(propertyName); + } + + public String apiProperty() { + return apiProperty; + } + + String systemProperty() { + return systemProperty; + } + + int defaultValue() { + return defaultValue; + } + + int secureValue() { + return secureValue; + } + } + + /** + * Map old property names with the new ones + */ + public static enum NameMap { + + ENTITY_EXPANSION_LIMIT(XalanConstants.SP_ENTITY_EXPANSION_LIMIT, + XalanConstants.ENTITY_EXPANSION_LIMIT), + MAX_OCCUR_NODE_LIMIT(XalanConstants.SP_MAX_OCCUR_LIMIT, + XalanConstants.MAX_OCCUR_LIMIT), + ELEMENT_ATTRIBUTE_LIMIT(XalanConstants.SP_ELEMENT_ATTRIBUTE_LIMIT, + XalanConstants.ELEMENT_ATTRIBUTE_LIMIT); + final String newName; + final String oldName; + + NameMap(String newName, String oldName) { + this.newName = newName; + this.oldName = oldName; + } + + String getOldName(String newName) { + if (newName.equals(this.newName)) { + return oldName; + } + return null; + } + } + /** + * Values of the properties + */ + private final int[] values; + /** + * States of the settings for each property + */ + private State[] states; + /** + * States that determine if properties are set explicitly + */ + private boolean[] isSet; + + + /** + * Index of the special entityCountInfo property + */ + private int indexEntityCountInfo = 10000; + private String printEntityCountInfo = ""; + + /** + * Default constructor. Establishes default values for known security + * vulnerabilities. + */ + public XMLSecurityManager() { + this(false); + } + + /** + * Instantiate Security Manager in accordance with the status of + * secure processing + * @param secureProcessing + */ + public XMLSecurityManager(boolean secureProcessing) { + values = new int[Limit.values().length]; + states = new State[Limit.values().length]; + isSet = new boolean[Limit.values().length]; + for (Limit limit : Limit.values()) { + if (secureProcessing) { + values[limit.ordinal()] = limit.secureValue(); + states[limit.ordinal()] = State.FSP; + } else { + values[limit.ordinal()] = limit.defaultValue(); + states[limit.ordinal()] = State.DEFAULT; + } + } + //read system properties or jaxp.properties + readSystemProperties(); + } + + /** + * Setting FEATURE_SECURE_PROCESSING explicitly + */ + public void setSecureProcessing(boolean secure) { + for (Limit limit : Limit.values()) { + if (secure) { + setLimit(limit.ordinal(), State.FSP, limit.secureValue()); + } else { + setLimit(limit.ordinal(), State.FSP, limit.defaultValue()); + } + } + } + + /** + * Set limit by property name and state + * @param propertyName property name + * @param state the state of the property + * @param value the value of the property + * @return true if the property is managed by the security manager; false + * if otherwise. + */ + public boolean setLimit(String propertyName, State state, Object value) { + int index = getIndex(propertyName); + if (index > -1) { + setLimit(index, state, value); + return true; + } + return false; + } + + /** + * Set the value for a specific limit. + * + * @param limit the limit + * @param state the state of the property + * @param value the value of the property + */ + public void setLimit(Limit limit, State state, int value) { + setLimit(limit.ordinal(), state, value); + } + + /** + * Set the value of a property by its index + * + * @param index the index of the property + * @param state the state of the property + * @param value the value of the property + */ + public void setLimit(int index, State state, Object value) { + if (index == indexEntityCountInfo) { + //if it's explicitly set, it's treated as yes no matter the value + printEntityCountInfo = (String)value; + } else { + int temp = 0; + try { + temp = Integer.parseInt((String) value); + if (temp < 0) { + temp = 0; + } + } catch (NumberFormatException e) {} + setLimit(index, state, temp); } + } + + /** + * Set the value of a property by its index + * + * @param index the index of the property + * @param state the state of the property + * @param value the value of the property + */ + public void setLimit(int index, State state, int value) { + if (index == indexEntityCountInfo) { + //if it's explicitly set, it's treated as yes no matter the value + printEntityCountInfo = XalanConstants.JDK_YES; + } else { + //only update if it shall override + if (state.compareTo(states[index]) >= 0) { + values[index] = value; + states[index] = state; + isSet[index] = true; + } + } + } + + + /** + * Return the value of the specified property. + * + * @param propertyName the property name + * @return the value of the property as a string. If a property is managed + * by this manager, its value shall not be null. + */ + public String getLimitAsString(String propertyName) { + int index = getIndex(propertyName); + if (index > -1) { + return getLimitValueByIndex(index); + } + + return null; + } + + /** + * Return the value of a property by its ordinal + * + * @param limit the property + * @return value of a property + */ + public String getLimitValueAsString(Limit limit) { + return Integer.toString(values[limit.ordinal()]); + } + + /** + * Return the value of the specified property + * + * @param limit the property + * @return the value of the property + */ + public int getLimit(Limit limit) { + return values[limit.ordinal()]; + } + + /** + * Return the value of a property by its ordinal + * + * @param index the index of a property + * @return value of a property + */ + public int getLimitByIndex(int index) { + return values[index]; + } + /** + * Return the value of a property by its index + * + * @param index the index of a property + * @return limit of a property as a string + */ + public String getLimitValueByIndex(int index) { + if (index == indexEntityCountInfo) { + return printEntityCountInfo; + } + + return Integer.toString(values[index]); + } + /** + * Return the state of the limit property + * + * @param limit the limit + * @return the state of the limit property + */ + public State getState(Limit limit) { + return states[limit.ordinal()]; + } + + /** + * Return the state of the limit property + * + * @param limit the limit + * @return the state of the limit property + */ + public String getStateLiteral(Limit limit) { + return states[limit.ordinal()].literal(); + } + + /** + * Get the index by property name + * + * @param propertyName property name + * @return the index of the property if found; return -1 if not + */ + public int getIndex(String propertyName) { + for (Limit limit : Limit.values()) { + if (limit.equalsAPIPropertyName(propertyName)) { + //internally, ordinal is used as index + return limit.ordinal(); + } + } + //special property to return entity count info + if (propertyName.equals(XalanConstants.JDK_ENTITY_COUNT_INFO)) { + return indexEntityCountInfo; + } + return -1; + } + + /** + * Indicate if a property is set explicitly + * @param index + * @return + */ + public boolean isSet(int index) { + return isSet[index]; + } + + public boolean printEntityCountInfo() { + return printEntityCountInfo.equals(XalanConstants.JDK_YES); + } + /** + * Read from system properties, or those in jaxp.properties + */ + private void readSystemProperties() { + + for (Limit limit : Limit.values()) { + if (!getSystemProperty(limit, limit.systemProperty())) { + //if system property is not found, try the older form if any + for (NameMap nameMap : NameMap.values()) { + String oldName = nameMap.getOldName(limit.systemProperty()); + if (oldName != null) { + getSystemProperty(limit, oldName); + } + } + } + } + + } + + /** + * Read from system properties, or those in jaxp.properties + * + * @param property the type of the property + * @param sysPropertyName the name of system property + */ + private boolean getSystemProperty(Limit limit, String sysPropertyName) { + try { + String value = SecuritySupport.getSystemProperty(sysPropertyName); + if (value != null && !value.equals("")) { + values[limit.ordinal()] = Integer.parseInt(value); + states[limit.ordinal()] = State.SYSTEMPROPERTY; + return true; + } + + value = SecuritySupport.readJAXPProperty(sysPropertyName); + if (value != null && !value.equals("")) { + values[limit.ordinal()] = Integer.parseInt(value); + states[limit.ordinal()] = State.JAXPDOTPROPERTIES; + return true; + } + } catch (NumberFormatException e) { + //invalid setting + throw new NumberFormatException("Invalid setting for system property: " + limit.systemProperty()); + } + return false; + } +} diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xalan/internal/utils/XMLSecurityPropertyManager.java --- a/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityPropertyManager.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityPropertyManager.java Fri Oct 11 19:49:44 2013 +0100 @@ -94,6 +94,23 @@ } /** + * Set limit by property name and state + * @param propertyName property name + * @param state the state of the property + * @param value the value of the property + * @return true if the property is managed by the security property manager; + * false if otherwise. + */ + public boolean setValue(String propertyName, State state, Object value) { + int index = getIndex(propertyName); + if (index > -1) { + setValue(index, state, (String)value); + return true; + } + return false; + } + + /** * Set the value for a specific property. * * @param property the property @@ -121,6 +138,22 @@ states[index] = state; } } + + /** + * Return the value of the specified property + * + * @param propertyName the property name + * @return the value of the property as a string + */ + public String getValue(String propertyName) { + int index = getIndex(propertyName); + if (index > -1) { + return getValueByIndex(index); + } + + return null; + } + /** * Return the value of the specified property * diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xalan/internal/xsltc/compiler/Import.java --- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Import.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Import.java Fri Oct 11 19:49:44 2013 +0100 @@ -86,7 +86,7 @@ if (input == null) { docToLoad = SystemIDResolver.getAbsoluteURI(docToLoad, currLoadedDoc); String accessError = SecuritySupport.checkAccess(docToLoad, - xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET), + (String)xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET), XalanConstants.ACCESS_EXTERNAL_ALL); if (accessError != null) { diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xalan/internal/xsltc/compiler/Include.java --- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Include.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Include.java Fri Oct 11 19:49:44 2013 +0100 @@ -87,7 +87,7 @@ if (input == null) { docToLoad = SystemIDResolver.getAbsoluteURI(docToLoad, currLoadedDoc); String accessError = SecuritySupport.checkAccess(docToLoad, - xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET), + (String)xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET), XalanConstants.ACCESS_EXTERNAL_ALL); if (accessError != null) { diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xalan/internal/xsltc/compiler/Parser.java --- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Parser.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Parser.java Fri Oct 11 19:49:44 2013 +0100 @@ -28,6 +28,7 @@ import com.sun.org.apache.xalan.internal.utils.FactoryImpl; import com.sun.org.apache.xalan.internal.utils.ObjectFactory; import com.sun.org.apache.xalan.internal.utils.SecuritySupport; +import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.MethodType; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Type; @@ -487,6 +488,20 @@ } final XMLReader reader = parser.getXMLReader(); + try { + XMLSecurityManager securityManager = + (XMLSecurityManager)_xsltc.getProperty(XalanConstants.SECURITY_MANAGER); + for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) { + reader.setProperty(limit.apiProperty(), securityManager.getLimitValueAsString(limit)); + } + if (securityManager.printEntityCountInfo()) { + parser.setProperty(XalanConstants.JDK_ENTITY_COUNT_INFO, XalanConstants.JDK_YES); + } + } catch (SAXException se) { + System.err.println("Warning: " + reader.getClass().getName() + ": " + + se.getMessage()); + } + return(parse(reader, input)); } catch (ParserConfigurationException e) { @@ -565,7 +580,7 @@ } path = SystemIDResolver.getAbsoluteURI(path); String accessError = SecuritySupport.checkAccess(path, - _xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET), + (String)_xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET), XalanConstants.ACCESS_EXTERNAL_ALL); if (accessError != null) { ErrorMsg msg = new ErrorMsg(ErrorMsg.ACCESSING_XSLT_TARGET_ERR, diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xalan/internal/xsltc/compiler/XSLTC.java --- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/XSLTC.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/XSLTC.java Fri Oct 11 19:49:44 2013 +0100 @@ -44,11 +44,11 @@ import com.sun.org.apache.bcel.internal.classfile.JavaClass; import com.sun.org.apache.xalan.internal.XalanConstants; import com.sun.org.apache.xalan.internal.utils.SecuritySupport; +import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Util; import com.sun.org.apache.xml.internal.dtm.DTM; -import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import org.xml.sax.InputSource; import org.xml.sax.XMLReader; @@ -146,6 +146,7 @@ */ private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT; + private XMLSecurityManager _xmlSecurityManager; /** * XSLTC compiler constructor @@ -184,12 +185,14 @@ /** * Return allowed protocols for accessing external stylesheet. */ - public String getProperty(String name) { + public Object getProperty(String name) { if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) { return _accessExternalStylesheet; } else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) { return _accessExternalDTD; + } else if (name.equals(XalanConstants.SECURITY_MANAGER)) { + return _xmlSecurityManager; } return null; } @@ -197,12 +200,14 @@ /** * Set allowed protocols for accessing external stylesheet. */ - public void setProperty(String name, String value) { + public void setProperty(String name, Object value) { if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) { _accessExternalStylesheet = (String)value; } else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) { _accessExternalDTD = (String)value; + } else if (name.equals(XalanConstants.SECURITY_MANAGER)) { + _xmlSecurityManager = (XMLSecurityManager)value; } } diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesHandlerImpl.java --- a/src/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesHandlerImpl.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesHandlerImpl.java Fri Oct 11 19:49:44 2013 +0100 @@ -29,7 +29,7 @@ import javax.xml.transform.TransformerException; import javax.xml.transform.URIResolver; import javax.xml.transform.sax.TemplatesHandler; - +import com.sun.org.apache.xalan.internal.XalanConstants; import com.sun.org.apache.xalan.internal.xsltc.compiler.CompilerException; import com.sun.org.apache.xalan.internal.xsltc.compiler.Parser; import com.sun.org.apache.xalan.internal.xsltc.compiler.SourceLoader; @@ -103,6 +103,8 @@ (String)tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)); xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, (String)tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_DTD)); + xsltc.setProperty(XalanConstants.SECURITY_MANAGER, + tfactory.getAttribute(XalanConstants.SECURITY_MANAGER)); if ("true".equals(tfactory.getAttribute(TransformerFactoryImpl.ENABLE_INLINING))) diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java --- a/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Fri Oct 11 19:49:44 2013 +0100 @@ -27,6 +27,7 @@ import com.sun.org.apache.xalan.internal.utils.FactoryImpl; import com.sun.org.apache.xalan.internal.utils.ObjectFactory; import com.sun.org.apache.xalan.internal.utils.SecuritySupport; +import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager; import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.Property; import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.State; @@ -218,13 +219,13 @@ * protocols allowed for external references set by the stylesheet processing instruction, Import and Include element. */ private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT; - /** * protocols allowed for external DTD references in source file and/or stylesheet. */ private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT; private XMLSecurityPropertyManager _xmlSecurityPropertyMgr; + private XMLSecurityManager _xmlSecurityManager; /** * javax.xml.transform.sax.TransformerFactory implementation. @@ -250,6 +251,9 @@ Property.ACCESS_EXTERNAL_DTD); _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue( Property.ACCESS_EXTERNAL_STYLESHEET); + + //Parser's security manager + _xmlSecurityManager = new XMLSecurityManager(true); } /** @@ -311,11 +315,21 @@ return Boolean.TRUE; else return Boolean.FALSE; + } else if (name.equals(XalanConstants.SECURITY_MANAGER)) { + return _xmlSecurityManager; } - int index = _xmlSecurityPropertyMgr.getIndex(name); - if (index > -1) { - return _xmlSecurityPropertyMgr.getValueByIndex(index); + /** Check to see if the property is managed by the security manager **/ + String propertyValue = (_xmlSecurityManager != null) ? + _xmlSecurityManager.getLimitAsString(name) : null; + if (propertyValue != null) { + return propertyValue; + } else { + propertyValue = (_xmlSecurityPropertyMgr != null) ? + _xmlSecurityPropertyMgr.getValue(name) : null; + if (propertyValue != null) { + return propertyValue; + } } // Throw an exception for all other attributes @@ -419,10 +433,13 @@ } } - int index = _xmlSecurityPropertyMgr.getIndex(name); - if (index > -1) { - _xmlSecurityPropertyMgr.setValue(index, - State.APIPROPERTY, (String)value); + if (_xmlSecurityManager != null && + _xmlSecurityManager.setLimit(name, XMLSecurityManager.State.APIPROPERTY, value)) { + return; + } + + if (_xmlSecurityPropertyMgr != null && + _xmlSecurityPropertyMgr.setValue(name, XMLSecurityPropertyManager.State.APIPROPERTY, value)) { _accessExternalDTD = _xmlSecurityPropertyMgr.getValue( Property.ACCESS_EXTERNAL_DTD); _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue( @@ -473,6 +490,7 @@ throw new TransformerConfigurationException(err.toString()); } _isNotSecureProcessing = !value; + _xmlSecurityManager.setSecureProcessing(value); // set external access restriction when FSP is explicitly set if (value && XalanConstants.IS_JDK8_OR_ABOVE) { @@ -849,6 +867,7 @@ if (!_isNotSecureProcessing) xsltc.setSecureProcessing(true); xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, _accessExternalStylesheet); xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD); + xsltc.setProperty(XalanConstants.SECURITY_MANAGER, _xmlSecurityManager); xsltc.init(); // Set a document loader (for xsl:include/import) if defined diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java --- a/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java Fri Oct 11 19:49:44 2013 +0100 @@ -25,6 +25,7 @@ import com.sun.org.apache.xalan.internal.XalanConstants; import com.sun.org.apache.xalan.internal.utils.FactoryImpl; +import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; @@ -214,6 +215,7 @@ */ private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT; + private XMLSecurityManager _securityManager; /** * A hashtable to store parameters for the identity transform. These * are not needed during the transformation, but we must keep track of @@ -269,8 +271,11 @@ _useServicesMechanism = _tfactory.useServicesMechnism(); _accessExternalStylesheet = (String)_tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET); _accessExternalDTD = (String)_tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_DTD); + _securityManager = (XMLSecurityManager)_tfactory.getAttribute(XalanConstants.SECURITY_MANAGER); _readerManager = XMLReaderManager.getInstance(_useServicesMechanism); _readerManager.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD); + _readerManager.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, _isSecureProcessing); + _readerManager.setProperty(XalanConstants.SECURITY_MANAGER, _securityManager); //_isIncremental = tfactory._incremental; } @@ -286,6 +291,7 @@ */ public void setSecureProcessing(boolean flag) { _isSecureProcessing = flag; + _readerManager.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, _isSecureProcessing); } /** * Return the state of the services mechanism feature. diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java --- a/src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java Fri Oct 11 19:49:44 2013 +0100 @@ -23,6 +23,7 @@ package com.sun.org.apache.xalan.internal.xsltc.trax; +import com.sun.org.apache.xalan.internal.XalanConstants; import java.io.InputStream; import java.io.Reader; @@ -43,6 +44,7 @@ import javax.xml.transform.stream.StreamSource; import com.sun.org.apache.xalan.internal.utils.FactoryImpl; +import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager; import com.sun.org.apache.xalan.internal.xsltc.compiler.XSLTC; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg; @@ -105,6 +107,13 @@ if (reader == null) { try { reader= XMLReaderFactory.createXMLReader(); + try { + reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, + xsltc.isSecureProcessing()); + } catch (SAXNotRecognizedException e) { + System.err.println("Warning: " + reader.getClass().getName() + ": " + + e.getMessage()); + } } catch (Exception e ) { try { @@ -144,6 +153,22 @@ + e.getMessage()); } + try { + XMLSecurityManager securityManager = + (XMLSecurityManager)xsltc.getProperty(XalanConstants.SECURITY_MANAGER); + if (securityManager != null) { + for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) { + reader.setProperty(limit.apiProperty(), + securityManager.getLimitValueAsString(limit)); + } + if (securityManager.printEntityCountInfo()) { + reader.setProperty(XalanConstants.JDK_ENTITY_COUNT_INFO, XalanConstants.JDK_YES); + } + } + } catch (SAXException se) { + System.err.println("Warning: " + reader.getClass().getName() + ": " + + se.getMessage()); + } xsltc.setXMLReader(reader); }catch (SAXNotRecognizedException snre ) { throw new TransformerConfigurationException diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java --- a/src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java Fri Oct 11 19:49:44 2013 +0100 @@ -33,6 +33,7 @@ import com.sun.org.apache.xerces.internal.util.PropertyState; import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.utils.ObjectFactory; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler; import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler; @@ -59,6 +60,7 @@ import org.w3c.dom.ls.LSResourceResolver; + /** * Xerces implementation of DOMConfiguration that maintains a table of recognized parameters. * @@ -156,6 +158,9 @@ protected static final String SCHEMA_DV_FACTORY = Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY; + /** Property identifier: Security manager. */ + private static final String SECURITY_MANAGER = Constants.SECURITY_MANAGER; + /** Property identifier: Security property manager. */ private static final String XML_SECURITY_PROPERTY_MANAGER = Constants.XML_SECURITY_PROPERTY_MANAGER; @@ -279,6 +284,7 @@ JAXP_SCHEMA_LANGUAGE, DTD_VALIDATOR_FACTORY_PROPERTY, SCHEMA_DV_FACTORY, + SECURITY_MANAGER, XML_SECURITY_PROPERTY_MANAGER }; addRecognizedProperties(recognizedProperties); @@ -313,6 +319,8 @@ fValidationManager = createValidationManager(); setProperty(VALIDATION_MANAGER, fValidationManager); + setProperty(SECURITY_MANAGER, new XMLSecurityManager(true)); + setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, new XMLSecurityPropertyManager()); diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/impl/Constants.java --- a/src/com/sun/org/apache/xerces/internal/impl/Constants.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xerces/internal/impl/Constants.java Fri Oct 11 19:49:44 2013 +0100 @@ -174,8 +174,6 @@ /** JAXP schemaSource language: when used internally may include DTD namespace (DOM) */ public static final String SCHEMA_LANGUAGE = "schemaLanguage"; - public static final String SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ; - /** JAXP Standard property prefix ("http://javax.xml.XMLConstants/property/"). */ public static final String JAXPAPI_PROPERTY_PREFIX = "http://javax.xml.XMLConstants/property/"; @@ -209,6 +207,107 @@ public static final boolean IS_JDK8_OR_ABOVE = isJavaVersionAtLeast(8); // + // Implementation limits: corresponding System Properties of the above + // API properties + // + /** + * JDK entity expansion limit; Note that the existing system property + * "entityExpansionLimit" with no prefix is still observed + */ + public static final String JDK_ENTITY_EXPANSION_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "entityExpansionLimit"; + + /** + * JDK element attribute limit; Note that the existing system property + * "elementAttributeLimit" with no prefix is still observed + */ + public static final String JDK_ELEMENT_ATTRIBUTE_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "elementAttributeLimit"; + + /** + * JDK maxOccur limit; Note that the existing system property + * "maxOccurLimit" with no prefix is still observed + */ + public static final String JDK_MAX_OCCUR_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "maxOccurLimit"; + + /** + * JDK total entity size limit + */ + public static final String JDK_TOTAL_ENTITY_SIZE_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "totalEntitySizeLimit"; + + /** + * JDK maximum general entity size limit + */ + public static final String JDK_GENEAL_ENTITY_SIZE_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "maxGeneralEntitySizeLimit"; + /** + * JDK maximum parameter entity size limit + */ + public static final String JDK_PARAMETER_ENTITY_SIZE_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "maxParameterEntitySizeLimit"; + /** + * JDK maximum XML name limit + */ + public static final String JDK_XML_NAME_LIMIT = + ORACLE_JAXP_PROPERTY_PREFIX + "maxXMLNameLimit"; + /** + * JDK property to allow printing out information from the limit analyzer + */ + public static final String JDK_ENTITY_COUNT_INFO = + ORACLE_JAXP_PROPERTY_PREFIX + "getEntityCountInfo"; + + // + // Implementation limits: API properties + // + /** + * JDK entity expansion limit; Note that the existing system property + * "entityExpansionLimit" with no prefix is still observed + */ + public static final String SP_ENTITY_EXPANSION_LIMIT = "jdk.xml.entityExpansionLimit"; + + /** + * JDK element attribute limit; Note that the existing system property + * "elementAttributeLimit" with no prefix is still observed + */ + public static final String SP_ELEMENT_ATTRIBUTE_LIMIT = "jdk.xml.elementAttributeLimit"; + + /** + * JDK maxOccur limit; Note that the existing system property + * "maxOccurLimit" with no prefix is still observed + */ + public static final String SP_MAX_OCCUR_LIMIT = "jdk.xml.maxOccurLimit"; + + /** + * JDK total entity size limit + */ + public static final String SP_TOTAL_ENTITY_SIZE_LIMIT = "jdk.xml.totalEntitySizeLimit"; + + /** + * JDK maximum general entity size limit + */ + public static final String SP_GENEAL_ENTITY_SIZE_LIMIT = "jdk.xml.maxGeneralEntitySizeLimit"; + /** + * JDK maximum parameter entity size limit + */ + public static final String SP_PARAMETER_ENTITY_SIZE_LIMIT = "jdk.xml.maxParameterEntitySizeLimit"; + /** + * JDK maximum XML name limit + */ + public static final String SP_XML_NAME_LIMIT = "jdk.xml.maxXMLNameLimit"; + + //legacy System Properties + public final static String ENTITY_EXPANSION_LIMIT = "entityExpansionLimit"; + public static final String ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ; + public final static String MAX_OCCUR_LIMIT = "maxOccurLimit"; + + /** + * A string "yes" that can be used for properties such as getEntityCountInfo + */ + public static final String JDK_YES = "yes"; + + // // DOM features // @@ -443,7 +542,7 @@ public static final String LOCALE_PROPERTY = "locale"; /** property identifier: security manager. */ - protected static final String SECURITY_MANAGER = + public static final String SECURITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; @@ -511,9 +610,6 @@ */ public final static String ATTRIBUTE_DECLARED = "ATTRIBUTE_DECLARED"; - public final static String ENTITY_EXPANSION_LIMIT = "entityExpansionLimit"; - - public final static String MAX_OCCUR_LIMIT = "maxOccurLimit"; /** * {@link org.w3c.dom.TypeInfo} associated with current element/attribute diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java --- a/src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java Fri Oct 11 19:49:44 2013 +0100 @@ -25,6 +25,7 @@ package com.sun.org.apache.xerces.internal.impl; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.xml.internal.stream.StaxEntityResolverWrapper; import java.util.HashMap; @@ -50,12 +51,16 @@ private static final String STRING_INTERNING = "http://xml.org/sax/features/string-interning"; + /** Property identifier: Security manager. */ + private static final String SECURITY_MANAGER = Constants.SECURITY_MANAGER; + /** Property identifier: Security property manager. */ private static final String XML_SECURITY_PROPERTY_MANAGER = Constants.XML_SECURITY_PROPERTY_MANAGER; HashMap supportedProps = new HashMap(); + private XMLSecurityManager fSecurityManager; private XMLSecurityPropertyManager fSecurityPropertyMgr; public static final int CONTEXT_READER = 1; @@ -82,6 +87,7 @@ HashMap properties = propertyManager.getProperties(); supportedProps.putAll(properties); + fSecurityManager = (XMLSecurityManager)getProperty(SECURITY_MANAGER); fSecurityPropertyMgr = (XMLSecurityPropertyManager)getProperty(XML_SECURITY_PROPERTY_MANAGER); } @@ -124,6 +130,8 @@ supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_DUPLICATE_ENTITYDEF_FEATURE, new Boolean(false)); supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_UNDECLARED_ELEMDEF_FEATURE, new Boolean(false)); + fSecurityManager = new XMLSecurityManager(true); + supportedProps.put(SECURITY_MANAGER, fSecurityManager); fSecurityPropertyMgr = new XMLSecurityPropertyManager(); supportedProps.put(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); } @@ -142,6 +150,7 @@ */ public boolean containsProperty(String property){ return supportedProps.containsKey(property) || + (fSecurityManager != null && fSecurityManager.getIndex(property) > -1) || (fSecurityPropertyMgr!=null && fSecurityPropertyMgr.getIndex(property) > -1) ; } @@ -169,12 +178,34 @@ supportedProps.put( Constants.XERCES_PROPERTY_PREFIX + Constants.STAX_ENTITY_RESOLVER_PROPERTY , new StaxEntityResolverWrapper((XMLResolver)value)) ; } - int index = (fSecurityPropertyMgr != null) ? fSecurityPropertyMgr.getIndex(property) : -1; - if (index > -1) { - fSecurityPropertyMgr.setValue(index, - XMLSecurityPropertyManager.State.APIPROPERTY, (String)value); - } else { - supportedProps.put(property, value); + /** + * It's possible for users to set a security manager through the interface. + * If it's the old SecurityManager, convert it to the new XMLSecurityManager + */ + if (property.equals(Constants.SECURITY_MANAGER)) { + fSecurityManager = XMLSecurityManager.convert(value, fSecurityManager); + supportedProps.put(Constants.SECURITY_MANAGER, fSecurityManager); + return; + } + if (property.equals(Constants.XML_SECURITY_PROPERTY_MANAGER)) { + if (value == null) { + fSecurityPropertyMgr = new XMLSecurityPropertyManager(); + } else { + fSecurityPropertyMgr = (XMLSecurityPropertyManager)value; + } + supportedProps.put(Constants.XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr); + return; + } + + //check if the property is managed by security manager + if (fSecurityManager == null || + !fSecurityManager.setLimit(property, XMLSecurityManager.State.APIPROPERTY, value)) { + //check if the property is managed by security property manager + if (fSecurityPropertyMgr == null || + !fSecurityPropertyMgr.setValue(property, XMLSecurityPropertyManager.State.APIPROPERTY, value)) { + //fall back to the existing property manager + supportedProps.put(property, value); + } } if(equivalentProperty != null){ diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/impl/XML11NSDocumentScannerImpl.java --- a/src/com/sun/org/apache/xerces/internal/impl/XML11NSDocumentScannerImpl.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xerces/internal/impl/XML11NSDocumentScannerImpl.java Fri Oct 11 19:49:44 2013 +0100 @@ -108,6 +108,7 @@ * @author Elena Litani, IBM * @author Michael Glavassevich, IBM * @author Sunitha Reddy, Sun Microsystems + * @version $Id: XML11NSDocumentScannerImpl.java,v 1.6 2010-11-01 04:39:40 joehw Exp $ */ public class XML11NSDocumentScannerImpl extends XML11DocumentScannerImpl { @@ -236,7 +237,8 @@ // attributes scanAttribute(fAttributes); - if (fSecurityManager != null && fAttributes.getLength() > fElementAttributeLimit){ + if (fSecurityManager != null && (!fSecurityManager.isNoLimit(fElementAttributeLimit)) && + fAttributes.getLength() > fElementAttributeLimit){ fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN, "ElementAttributeLimit", new Object[]{rawname, new Integer(fElementAttributeLimit) }, diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/impl/XMLDTDScannerImpl.java --- a/src/com/sun/org/apache/xerces/internal/impl/XMLDTDScannerImpl.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xerces/internal/impl/XMLDTDScannerImpl.java Fri Oct 11 19:49:44 2013 +0100 @@ -44,6 +44,8 @@ import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter; import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler; import com.sun.org.apache.xerces.internal.impl.Constants; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager; +import com.sun.xml.internal.stream.Entity; /** * This class is responsible for scanning the declarations found @@ -66,7 +68,7 @@ * @author Glenn Marcy, IBM * @author Eric Ye, IBM * - * @version $Id: XMLDTDScannerImpl.java,v 1.7 2007/09/26 12:52:40 ndw Exp $ + * @version $Id: XMLDTDScannerImpl.java,v 1.8 2010-11-01 04:39:41 joehw Exp $ */ public class XMLDTDScannerImpl extends XMLScanner @@ -1545,7 +1547,7 @@ // internal entity if (systemId == null) { - scanEntityValue(fLiteral, fLiteral2); + scanEntityValue(name, isPEDecl, fLiteral, fLiteral2); // since we need it's value anyway, let's snag it so it doesn't get corrupted // if a new load takes place before we store the entity values fStringBuffer.clear(); @@ -1610,7 +1612,7 @@ * the use of scanCharReferenceValue), and fStringBuffer2, anything in them * at the time of calling is lost. */ - protected final void scanEntityValue(XMLString value, + protected final void scanEntityValue(String entityName, boolean isPEDecl, XMLString value, XMLString nonNormalizedValue) throws IOException, XNIException { int quote = fEntityScanner.scanChar(); @@ -1622,10 +1624,20 @@ XMLString literal = fString; XMLString literal2 = fString; + int countChar = 0; + if (fLimitAnalyzer == null && fSecurityManager != null) { + fLimitAnalyzer = fSecurityManager.getLimitAnalyzer(); + fLimitAnalyzer.startEntity(entityName); + } + if (fEntityScanner.scanLiteral(quote, fString) != quote) { fStringBuffer.clear(); fStringBuffer2.clear(); do { + if (isPEDecl && fLimitAnalyzer != null) { + checkLimit("%" + entityName, fString.length + countChar); + } + countChar = 0; fStringBuffer.append(fString); fStringBuffer2.append(fString); if (fEntityScanner.skipChar('&')) { @@ -1685,6 +1697,7 @@ } } else { + countChar++; int c = fEntityScanner.peekChar(); if (XMLChar.isHighSurrogate(c)) { scanSurrogates(fStringBuffer2); @@ -1708,9 +1721,17 @@ fStringBuffer2.append(fString); literal = fStringBuffer; literal2 = fStringBuffer2; + } else { + if (isPEDecl) { + checkLimit("%" + entityName, literal); + } } value.setValues(literal); nonNormalizedValue.setValues(literal2); + if (fLimitAnalyzer != null) { + fLimitAnalyzer.endEntity(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT, entityName); + } + if (!fEntityScanner.skipChar(quote)) { reportFatalError("CloseQuoteMissingInDecl", null); } @@ -2126,6 +2147,43 @@ //new SymbolTable()); } + /** + * Add the count of the content buffer and check if the accumulated + * value exceeds the limit + * @param entityName entity name + * @param buffer content buffer + */ + private void checkLimit(String entityName, XMLString buffer) { + checkLimit(entityName, buffer.length); + } + + /** + * Add the count and check limit + * @param entityName entity name + * @param len length of the buffer + */ + private void checkLimit(String entityName, int len) { + if (fLimitAnalyzer == null) { + fLimitAnalyzer = fSecurityManager.getLimitAnalyzer(); + } + fLimitAnalyzer.addValue(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT, entityName, len); + if (fSecurityManager.isOverLimit(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT)) { + fSecurityManager.debugPrint(); + reportFatalError("MaxEntitySizeLimit", new Object[]{entityName, + fLimitAnalyzer.getValue(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT), + fSecurityManager.getLimit(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT), + fSecurityManager.getStateLiteral(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT)}); + } + if (fSecurityManager.isOverLimit(XMLSecurityManager.Limit.TOTAL_ENTITY_SIZE_LIMIT)) { + fSecurityManager.debugPrint(); + reportFatalError("TotalEntitySizeLimit", + new Object[]{fLimitAnalyzer.getTotalValue(XMLSecurityManager.Limit.TOTAL_ENTITY_SIZE_LIMIT), + fSecurityManager.getLimit(XMLSecurityManager.Limit.TOTAL_ENTITY_SIZE_LIMIT), + fSecurityManager.getStateLiteral(XMLSecurityManager.Limit.TOTAL_ENTITY_SIZE_LIMIT)}); + } + + } + public DTDGrammar getGrammar(){ return nvGrammarInfo; } diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java --- a/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Fri Oct 11 19:49:44 2013 +0100 @@ -50,12 +50,14 @@ import com.sun.org.apache.xerces.internal.xni.Augmentations; import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler; -import com.sun.org.apache.xerces.internal.util.SecurityManager; import com.sun.org.apache.xerces.internal.util.NamespaceSupport; import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.State; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.NamespaceContext; -import com.sun.xml.internal.stream.Entity; import javax.xml.XMLConstants; import javax.xml.stream.XMLStreamConstants; import javax.xml.stream.events.XMLEvent; @@ -213,11 +215,8 @@ }; private static final char [] cdata = {'[','C','D','A','T','A','['}; + static final char [] xmlDecl = {'<','?','x','m','l'}; private static final char [] endTag = {'<','/'}; - - //this variable is also used by XMLDocumentScannerImpl in the same package - static final char [] xmlDecl = {'<','?','x','m','l'}; - // debugging /** Debug scanner state. */ @@ -316,6 +315,7 @@ protected String fDeclaredEncoding = null; /** Xerces Feature: Disallow doctype declaration. */ protected boolean fDisallowDoctype = false; + /** * comma-delimited list of protocols that are allowed for the purpose * of accessing external dtd or entity references @@ -384,7 +384,6 @@ protected boolean foundBuiltInRefs = false; - protected SecurityManager fSecurityManager = null; //skip element algorithm static final short MAX_DEPTH_LIMIT = 5 ; @@ -571,8 +570,11 @@ // xerces features fReportCdataEvent = componentManager.getFeature(Constants.STAX_REPORT_CDATA_EVENT, true); - fSecurityManager = (SecurityManager)componentManager.getProperty(Constants.SECURITY_MANAGER, null); - fElementAttributeLimit = (fSecurityManager != null)?fSecurityManager.getElementAttrLimit():0; + fSecurityManager = (XMLSecurityManager)componentManager.getProperty(Constants.SECURITY_MANAGER, null); + fLimitAnalyzer = fSecurityManager.getLimitAnalyzer(); + + fElementAttributeLimit = (fSecurityManager != null)? + fSecurityManager.getLimit(XMLSecurityManager.Limit.ELEMENT_ATTRIBUTE_LIMIT):0; fNotifyBuiltInRefs = componentManager.getFeature(NOTIFY_BUILTIN_REFS, false); @@ -598,9 +600,6 @@ //xxx: external entities are supported in Xerces // it would be good to define feature for this case fSupportExternalEntities = true; - fSupportExternalEntities = true; - fSupportExternalEntities = true; - fSupportExternalEntities = true; fReplaceEntityReferences = true; fIsCoalesce = false; @@ -671,6 +670,9 @@ XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER); fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD); + + fSecurityManager = (XMLSecurityManager)propertyManager.getProperty(Constants.SECURITY_MANAGER); + fLimitAnalyzer = fSecurityManager.getLimitAnalyzer(); } // reset(XMLComponentManager) /** @@ -1322,7 +1324,8 @@ fAddDefaultAttr = true; do { scanAttribute(fAttributes); - if (fSecurityManager != null && fAttributes.getLength() > fElementAttributeLimit){ + if (fSecurityManager != null && !fSecurityManager.isNoLimit(fElementAttributeLimit) && + fAttributes.getLength() > fElementAttributeLimit){ fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN, "ElementAttributeLimit", new Object[]{rawname, new Integer(fAttributes.getLength()) }, @@ -2036,6 +2039,13 @@ } // getDriverName():String + /** + * Check the protocol used in the systemId against allowed protocols + * + * @param systemId the Id of the URI + * @param allowedProtocols a list of allowed protocols separated by comma + * @return the name of the protocol if rejected, null otherwise + */ String checkAccess(String systemId, String allowedProtocols) throws IOException { String baseSystemId = fEntityScanner.getBaseSystemId(); String expandedSystemId = fEntityManager.expandSystemId(systemId, baseSystemId,fStrictURI); @@ -2833,6 +2843,8 @@ if(DEBUG){ System.out.println("NOT USING THE BUFFER, STRING = " + fTempString.toString()); } + //check limit before returning event + checkLimit(fContentBuffer); if(dtdGrammarUtil!= null && dtdGrammarUtil.isIgnorableWhiteSpace(fContentBuffer)){ if(DEBUG)System.out.println("Return SPACE EVENT"); return XMLEvent.SPACE; @@ -2931,6 +2943,8 @@ fLastSectionWasCharacterData = true ; continue; }else{ + //check limit before returning event + checkLimit(fContentBuffer); if(dtdGrammarUtil!= null && dtdGrammarUtil.isIgnorableWhiteSpace(fContentBuffer)){ if(DEBUG)System.out.println("Return SPACE EVENT"); return XMLEvent.SPACE; @@ -3141,6 +3155,30 @@ } //while loop }//next + /** + * Add the count of the content buffer and check if the accumulated + * value exceeds the limit + * @param buffer content buffer + */ + protected void checkLimit(XMLStringBuffer buffer) { + if (fLimitAnalyzer.isTracking(fCurrentEntityName)) { + fLimitAnalyzer.addValue(Limit.GENEAL_ENTITY_SIZE_LIMIT, fCurrentEntityName, buffer.length); + if (fSecurityManager.isOverLimit(Limit.GENEAL_ENTITY_SIZE_LIMIT)) { + fSecurityManager.debugPrint(); + reportFatalError("MaxEntitySizeLimit", new Object[]{fCurrentEntityName, + fLimitAnalyzer.getValue(Limit.GENEAL_ENTITY_SIZE_LIMIT), + fSecurityManager.getLimit(Limit.GENEAL_ENTITY_SIZE_LIMIT), + fSecurityManager.getStateLiteral(Limit.GENEAL_ENTITY_SIZE_LIMIT)}); + } + if (fSecurityManager.isOverLimit(Limit.TOTAL_ENTITY_SIZE_LIMIT)) { + fSecurityManager.debugPrint(); + reportFatalError("TotalEntitySizeLimit", + new Object[]{fLimitAnalyzer.getTotalValue(Limit.TOTAL_ENTITY_SIZE_LIMIT), + fSecurityManager.getLimit(Limit.TOTAL_ENTITY_SIZE_LIMIT), + fSecurityManager.getStateLiteral(Limit.TOTAL_ENTITY_SIZE_LIMIT)}); + } + } + } // // Protected methods diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java --- a/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Fri Oct 11 19:49:44 2013 +0100 @@ -28,9 +28,10 @@ import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler; import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager; import com.sun.org.apache.xerces.internal.util.*; -import com.sun.org.apache.xerces.internal.util.SecurityManager; import com.sun.org.apache.xerces.internal.util.URI; import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager; import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager; import com.sun.org.apache.xerces.internal.xni.Augmentations; import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier; @@ -174,7 +175,6 @@ /** access external dtd: file protocol */ static final String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT; - // recognized features and properties /** Recognized features. */ @@ -307,6 +307,7 @@ /** used to restrict external access */ protected String fAccessExternalDTD = EXTERNAL_ACCESS_DEFAULT; + // settings /** @@ -324,9 +325,12 @@ */ protected int fBufferSize = DEFAULT_BUFFER_SIZE; - // stores defaults for entity expansion limit if it has - // been set on the configuration. - protected SecurityManager fSecurityManager = null; + /** Security Manager */ + protected XMLSecurityManager fSecurityManager = null; + + protected XMLLimitAnalyzer fLimitAnalyzer = null; + + protected int entityExpansionIndex; /** * True if the document entity is standalone. This should really @@ -352,10 +356,6 @@ /** XML 1.1 entity scanner. */ protected XMLEntityScanner fXML11EntityScanner; - /** entity expansion limit (contains useful data if and only if - fSecurityManager is non-null) */ - protected int fEntityExpansionLimit = 0; - /** count of entities expanded: */ protected int fEntityExpansionCount = 0; @@ -833,6 +833,9 @@ fCurrentEntity.setEncodingExternallySpecified(encodingExternallySpecified); fEntityScanner.setCurrentEntity(fCurrentEntity); fResourceIdentifier.setValues(publicId, literalSystemId, baseSystemId, expandedSystemId); + if (fLimitAnalyzer != null) { + fLimitAnalyzer.startEntity(name); + } return encoding; } //setupCurrentEntity(String, XMLInputSource, boolean, boolean): String @@ -1294,10 +1297,13 @@ //expansions exceeds the entity expansion limit, parser will throw fatal error. // Note that this represents the nesting level of open entities. fEntityExpansionCount++; - if( fSecurityManager != null && fEntityExpansionCount > fEntityExpansionLimit ){ - fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN, - "EntityExpansionLimitExceeded", - new Object[]{new Integer(fEntityExpansionLimit) }, + if(fLimitAnalyzer != null) { + fLimitAnalyzer.addValue(entityExpansionIndex, name, 1); + } + if( fSecurityManager != null && fSecurityManager.isOverLimit(entityExpansionIndex)){ + fSecurityManager.debugPrint(); + fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN,"EntityExpansionLimitExceeded", + new Object[]{fSecurityManager.getLimitValueByIndex(entityExpansionIndex)}, XMLErrorReporter.SEVERITY_FATAL_ERROR ); // is there anything better to do than reset the counter? // at least one can envision debugging applications where this might @@ -1361,6 +1367,12 @@ if(fCurrentEntity != null){ //close the reader try{ + if (fLimitAnalyzer != null) { + fLimitAnalyzer.endEntity(XMLSecurityManager.Limit.GENEAL_ENTITY_SIZE_LIMIT, fCurrentEntity.name); + if (fCurrentEntity.name.equals("[xml]")) { + fSecurityManager.debugPrint(); + } + } fCurrentEntity.close(); }catch(IOException ex){ throw new XNIException(ex); @@ -1426,6 +1438,9 @@ XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER); fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD); + fSecurityManager = (XMLSecurityManager)propertyManager.getProperty(SECURITY_MANAGER); + fLimitAnalyzer = fSecurityManager.getLimitAnalyzer(); + // initialize state //fStandalone = false; fEntities.clear(); @@ -1485,7 +1500,9 @@ fEntityResolver = (XMLEntityResolver)componentManager.getProperty(ENTITY_RESOLVER, null); fStaxEntityResolver = (StaxEntityResolverWrapper)componentManager.getProperty(STAX_ENTITY_RESOLVER, null); fValidationManager = (ValidationManager)componentManager.getProperty(VALIDATION_MANAGER, null); - fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER, null); + fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER, null); + fLimitAnalyzer = fSecurityManager.getLimitAnalyzer(); + entityExpansionIndex = fSecurityManager.getIndex(Constants.JDK_ENTITY_EXPANSION_LIMIT); // JAXP 1.5 feature XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER, null); @@ -1506,7 +1523,6 @@ // a class acting as a component manager but not // implementing that interface for whatever reason. public void reset() { - fEntityExpansionLimit = (fSecurityManager != null)?fSecurityManager.getEntityExpansionLimit():0; // initialize state fStandalone = false; @@ -1642,8 +1658,8 @@ } if (suffixLength == Constants.SECURITY_MANAGER_PROPERTY.length() && propertyId.endsWith(Constants.SECURITY_MANAGER_PROPERTY)) { - fSecurityManager = (SecurityManager)value; - fEntityExpansionLimit = (fSecurityManager != null)?fSecurityManager.getEntityExpansionLimit():0; + fSecurityManager = (XMLSecurityManager)value; + fLimitAnalyzer = fSecurityManager.getLimitAnalyzer(); } } @@ -1652,9 +1668,8 @@ { XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)value; fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD); + } } - } - /** * Returns a list of property identifiers that are recognized by * this component. This method may return null if no properties diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/impl/XMLNSDocumentScannerImpl.java --- a/src/com/sun/org/apache/xerces/internal/impl/XMLNSDocumentScannerImpl.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xerces/internal/impl/XMLNSDocumentScannerImpl.java Fri Oct 11 19:49:44 2013 +0100 @@ -58,6 +58,7 @@ * @author Neeraj Bajaj, Sun Microsystems * @author Venugopal Rao K, Sun Microsystems * @author Elena Litani, IBM + * @version $Id: XMLNSDocumentScannerImpl.java,v 1.11 2010-11-01 04:39:41 joehw Exp $ */ public class XMLNSDocumentScannerImpl extends XMLDocumentScannerImpl { @@ -251,7 +252,8 @@ do { scanAttribute(fAttributes); - if (fSecurityManager != null && fAttributes.getLength() > fElementAttributeLimit){ + if (fSecurityManager != null && (!fSecurityManager.isNoLimit(fElementAttributeLimit)) && + fAttributes.getLength() > fElementAttributeLimit){ fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN, "ElementAttributeLimit", new Object[]{rawname, new Integer(fAttributes.getLength()) }, diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java --- a/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java Thu Oct 10 21:22:52 2013 -0700 +++ b/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java Fri Oct 11 19:49:44 2013 +0100 @@ -32,6 +32,8 @@ import com.sun.org.apache.xerces.internal.util.XMLChar; import com.sun.org.apache.xerces.internal.util.XMLResourceIdentifierImpl; import com.sun.org.apache.xerces.internal.util.XMLStringBuffer; +import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer; +import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager; import com.sun.org.apache.xerces.internal.xni.Augmentations; import com.sun.org.apache.xerces.internal.xni.XMLAttributes; import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier; @@ -106,6 +108,9 @@ protected static final String ENTITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.ENTITY_MANAGER_PROPERTY; + /** Property identifier: Security manager. */ + private static final String SECURITY_MANAGER = Constants.SECURITY_MANAGER; + // debugging /** Debug attribute normalization. */ @@ -159,6 +164,12 @@ /** xxx this should be available from EntityManager Entity storage */ protected XMLEntityStorage fEntityStore = null ; + /** Security manager. */ + protected XMLSecurityManager fSecurityManager = null; + + /** Limit analyzer. */ + protected XMLLimitAnalyzer fLimitAnalyzer = null; + // protected data /** event type */ @@ -256,6 +267,7 @@ fSymbolTable = (SymbolTable)componentManager.getProperty(SYMBOL_TABLE); fErrorReporter = (XMLErrorReporter)componentManager.getProperty(ERROR_REPORTER); fEntityManager = (XMLEntityManager)componentManager.getProperty(ENTITY_MANAGER); + fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER); //this step is extra because we have separated the storage of entity fEntityStore = fEntityManager.getEntityStore() ; @@ -293,6 +305,10 @@ fEntityManager = (XMLEntityManager)value; } } + + if (propertyId.equals(SECURITY_MANAGER)) { + fSecurityManager = (XMLSecurityManager)value; + } /*else if(propertyId.equals(Constants.STAX_PROPERTIES)){ fStaxProperties = (HashMap)value; //TODO::discuss with neeraj what are his thoughts on passing properties. @@ -352,6 +368,8 @@ fEntityManager = (XMLEntityManager)propertyManager.getProperty(ENTITY_MANAGER); fEntityStore = fEntityManager.getEntityStore() ; fEntityScanner = (XMLEntityScanner)fEntityManager.getEntityScanner() ; + fSecurityManager = (XMLSecurityManager)propertyManager.getProperty(SECURITY_MANAGER); + //fEntityManager.reset(); // DTD preparsing defaults: fValidation = false; @@ -499,7 +517,7 @@ reportFatalError("SDDeclInvalid", new Object[] {standalone}); } } else { - reportFatalError("EncodingDeclRequired", null); + reportFatalError("SDDeclNameInvalid", null); } break; } @@ -510,8 +528,9 @@ sawSpace = fEntityScanner.skipSpaces(); } // restore original literal value - if(currLiteral) + if(currLiteral) { currEnt.literal = true; + } // REVISIT: should we remove this error reporting? if (scanningTextDecl && state != STATE_DONE) { reportFatalError("MorePseudoAttributes", null); @@ -564,7 +583,7 @@ XMLString value) throws IOException, XNIException { - String name = fEntityScanner.scanName(); + String name = scanPseudoAttributeName(); // XMLEntityManager.print(fEntityManager.getCurrentEntity()); if (name == null) { @@ -617,6 +636,35 @@ } // scanPseudoAttribute(XMLString):String /** + * Scans the name of a pseudo attribute. The only legal names + * in XML 1.0/1.1 documents are 'version', 'encoding' and 'standalone'. + * + * @return the name of the pseudo attribute or null + * if a legal pseudo attribute name could not be scanned. + */ + private String scanPseudoAttributeName() throws IOException, XNIException { + final int ch = fEntityScanner.peekChar(); + switch (ch) { + case 'v': + if (fEntityScanner.skipString(fVersionSymbol)) { + return fVersionSymbol; + } + break; + case 'e': + if (fEntityScanner.skipString(fEncodingSymbol)) { + return fEncodingSymbol; + } + break; + case 's': + if (fEntityScanner.skipString(fStandaloneSymbol)) { + return fStandaloneSymbol; + } + break; + } + return null; + } // scanPseudoAttributeName() + + /** * Scans a processing instruction. *

    * 

    diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties	Fri Oct 11 19:49:44 2013 +0100
@@ -44,6 +44,7 @@
         
 # 2.9 Standalone Document Declaration
         SDDeclInvalid = The standalone document declaration value must be \"yes\" or \"no\", not \"{0}\".
+        SDDeclNameInvalid = The standalone name in XML declaration may be misspelled.
 # 2.12 Language Identification
         XMLLangInvalid = The xml:lang attribute value \"{0}\" is an invalid language identifier.
 # 3. Logical Structures
@@ -292,8 +293,10 @@
         InvalidCharInLiteral=InvalidCharInLiteral
 
 
-#Application can set the limit of number of entities that should be expanded by the parser.
-EntityExpansionLimitExceeded=The parser has encountered more than \"{0}\" entity expansions in this document; this is the limit imposed by the application.
+# Implementation limits
+        EntityExpansionLimitExceeded=JAXP00010001: The parser has encountered more than \"{0}\" entity expansions in this document; this is the limit imposed by the JDK.
+        ElementAttributeLimit=JAXP00010002:  Element \"{0}\" has more than \"{1}\" attributes, \"{1}\" is the limit imposed by the JDK.
+        MaxEntitySizeLimit=JAXP00010003: The length of entity \"{0}\" is \"{1}\" that exceeds the \"{2}\" limit set by \"{3}\".
+        TotalEntitySizeLimit=JAXP00010004: The accumulated size \"{0}\" of entities exceeded the \"{1}\" limit set by \"{2}\".
+        MaxXMLNameLimit=JAXP00010005: The name \"{0}\" exceeded the \"{1}\" limit set by \"{2}\".
 
-# Application can set the limit of number of attributes of entity that should be expanded by the parser.
-ElementAttributeLimit= Element \"{0}\" has more than \"{1}\" attributes, \"{1}\" is the limit imposed by the application.
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java
--- a/src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java	Fri Oct 11 19:49:44 2013 +0100
@@ -21,13 +21,13 @@
 
 package com.sun.org.apache.xerces.internal.impl.xs.models;
 
+import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
-import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
-import com.sun.org.apache.xerces.internal.util.SecurityManager ;
 import com.sun.org.apache.xerces.internal.impl.dtd.models.CMNode;
+import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
+import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
-import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
-import com.sun.org.apache.xerces.internal.impl.Constants;
 
 /**
  *
@@ -68,7 +68,7 @@
 
     // stores defaults for different security holes (maxOccurLimit in current context) if it has
     // been set on the configuration.
-    private SecurityManager fSecurityManager = null;
+    private XMLSecurityManager fSecurityManager = null;
 
     /** default constructor */
     public CMNodeFactory() {
@@ -77,10 +77,10 @@
     public void reset(XMLComponentManager componentManager){
         fErrorReporter = (XMLErrorReporter)componentManager.getProperty(ERROR_REPORTER);
         try {
-            fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER);
+            fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER);
             //we are setting the limit of number of nodes to 3times the maxOccur value..
             if(fSecurityManager != null){
-                maxNodeLimit = fSecurityManager.getMaxOccurNodeLimit() * MULTIPLICITY ;
+                maxNodeLimit = fSecurityManager.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT) * MULTIPLICITY ;
             }
         }
         catch (XMLConfigurationException e) {
@@ -109,7 +109,8 @@
     }
 
     public void nodeCountCheck(){
-        if( fSecurityManager != null && nodeCount++ > maxNodeLimit){
+        if( fSecurityManager != null && !fSecurityManager.isNoLimit(maxNodeLimit) &&
+                nodeCount++ > maxNodeLimit){
             if(DEBUG){
                 System.out.println("nodeCount = " + nodeCount ) ;
                 System.out.println("nodeLimit = " + maxNodeLimit ) ;
@@ -150,8 +151,9 @@
 
             if (suffixLength == Constants.SECURITY_MANAGER_PROPERTY.length() &&
                 propertyId.endsWith(Constants.SECURITY_MANAGER_PROPERTY)) {
-                fSecurityManager = (SecurityManager)value;
-                maxNodeLimit = (fSecurityManager != null) ? fSecurityManager.getMaxOccurNodeLimit() * MULTIPLICITY : 0 ;
+                fSecurityManager = (XMLSecurityManager)value;
+                maxNodeLimit = (fSecurityManager != null) ?
+                        fSecurityManager.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT) * MULTIPLICITY : 0 ;
                 return;
             }
             if (suffixLength == Constants.ERROR_REPORTER_PROPERTY.length() &&
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java
--- a/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java	Fri Oct 11 19:49:44 2013 +0100
@@ -40,6 +40,7 @@
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.util.XMLChar;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.QName;
 import com.sun.org.apache.xerces.internal.xs.XSConstants;
 import java.util.HashMap;
@@ -1194,8 +1195,8 @@
                     if (!optimize) {
                     //Revisit :: IMO this is not right place to check
                     // maxOccurNodeLimit.
-                    int maxOccurNodeLimit = fSchemaHandler.fSecureProcessing.getMaxOccurNodeLimit();
-                    if (max > maxOccurNodeLimit) {
+                    int maxOccurNodeLimit = fSchemaHandler.fSecureProcessing.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT);
+                    if (max > maxOccurNodeLimit && !fSchemaHandler.fSecureProcessing.isNoLimit(maxOccurNodeLimit)) {
                         reportSchemaFatalError("maxOccurLimit", new Object[] {new Integer(maxOccurNodeLimit)}, element);
 
                         // reset max values in case processing continues on error
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java
--- a/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java	Fri Oct 11 19:49:44 2013 +0100
@@ -70,7 +70,6 @@
 import com.sun.org.apache.xerces.internal.util.DefaultErrorHandler;
 import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
 import com.sun.org.apache.xerces.internal.util.SAXInputSource;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.StAXInputSource;
 import com.sun.org.apache.xerces.internal.util.StAXLocationWrapper;
 import com.sun.org.apache.xerces.internal.util.SymbolHash;
@@ -79,6 +78,7 @@
 import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
 import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.QName;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
@@ -257,7 +257,7 @@
      *
      * 
    Protected to allow access by any traverser.
    
      */
-    protected SecurityManager fSecureProcessing = null;
+    protected XMLSecurityManager fSecureProcessing = null;
 
     private String fAccessExternalSchema;
     private String fAccessExternalDTD;
@@ -3509,7 +3509,7 @@
 
         fSecureProcessing = null;
         if( componentManager!=null ) {
-            fSecureProcessing = (SecurityManager) componentManager.getProperty(SECURE_PROCESSING, null);
+            fSecureProcessing = (XMLSecurityManager) componentManager.getProperty(SECURE_PROCESSING, null);
         }
 
         //set entity resolver
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -36,7 +36,7 @@
 import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
 import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
 import com.sun.org.apache.xerces.internal.parsers.DOMParser;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.Property;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.State;
@@ -46,7 +46,6 @@
 import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLDocumentSource;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
-import javax.xml.XMLConstants;
 import org.w3c.dom.DOMImplementation;
 import org.w3c.dom.Document;
 import org.xml.sax.EntityResolver;
@@ -125,6 +124,7 @@
     /** Initial EntityResolver */
     private final EntityResolver fInitEntityResolver;
 
+    private XMLSecurityManager fSecurityManager;
     private XMLSecurityPropertyManager fSecurityPropertyMgr;
 
     DocumentBuilderImpl(DocumentBuilderFactoryImpl dbf, Hashtable dbfAttrs, Hashtable features)
@@ -173,10 +173,10 @@
         fSecurityPropertyMgr = new XMLSecurityPropertyManager();
         domParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
 
-        // If the secure processing feature is on set a security manager.
+        fSecurityManager = new XMLSecurityManager(secureProcessing);
+        domParser.setProperty(SECURITY_MANAGER, fSecurityManager);
+
         if (secureProcessing) {
-            domParser.setProperty(SECURITY_MANAGER, new SecurityManager());
-
             /**
              * If secure processing is explicitly set on the factory, the
              * access properties will be set unless the corresponding
@@ -250,9 +250,9 @@
                 String feature = (String) entry.getKey();
                 boolean value = ((Boolean) entry.getValue()).booleanValue();
                 domParser.setFeature(feature, value);
-            }
         }
     }
+    }
 
     /**
      * Set any DocumentBuilderFactory attributes of our underlying DOMParser
@@ -303,14 +303,17 @@
                         }
                      }
                   } else {
-                    int index = fSecurityPropertyMgr.getIndex(name);
-                    if (index > -1) {
-                        fSecurityPropertyMgr.setValue(index,
-                                XMLSecurityPropertyManager.State.APIPROPERTY, (String)val);
-                    } else {
-                        // Let Xerces code handle the property
-                        domParser.setProperty(name, val);
-                    }
+                     //check if the property is managed by security manager
+                     if (fSecurityManager == null ||
+                             !fSecurityManager.setLimit(name, XMLSecurityManager.State.APIPROPERTY, val)) {
+                         //check if the property is managed by security property manager
+                         if (fSecurityPropertyMgr == null ||
+                                 !fSecurityPropertyMgr.setValue(name, XMLSecurityPropertyManager.State.APIPROPERTY, val)) {
+                             //fall back to the existing property manager
+                             domParser.setProperty(name, val);
+                         }
+                     }
+
                   }
              }
         }
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -34,9 +34,9 @@
 import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
 import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -112,6 +112,7 @@
     /** Initial EntityResolver */
     private final EntityResolver fInitEntityResolver;
 
+    private final XMLSecurityManager fSecurityManager;
     private final XMLSecurityPropertyManager fSecurityPropertyMgr;
 
     /**
@@ -130,10 +131,10 @@
     SAXParserImpl(SAXParserFactoryImpl spf, Hashtable features, boolean secureProcessing)
         throws SAXException
     {
+        fSecurityManager = new XMLSecurityManager(secureProcessing);
         fSecurityPropertyMgr = new XMLSecurityPropertyManager();
-
         // Instantiate a SAXParser directly and not through SAX so that we use the right ClassLoader
-        xmlReader = new JAXPSAXParser(this, fSecurityPropertyMgr);
+        xmlReader = new JAXPSAXParser(this, fSecurityPropertyMgr, fSecurityManager);
 
         // JAXP "namespaceAware" == SAX Namespaces feature
         // Note: there is a compatibility problem here with default values:
@@ -154,9 +155,9 @@
 
         xmlReader.setProperty0(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
 
-        // If the secure processing feature is on set a security manager.
+        xmlReader.setProperty0(SECURITY_MANAGER, fSecurityManager);
+
         if (secureProcessing) {
-            xmlReader.setProperty0(SECURITY_MANAGER, new SecurityManager());
             /**
              * By default, secure processing is set, no external access is allowed.
              * However, we need to check if it is actively set on the factory since we
@@ -164,6 +165,7 @@
              * the default value
              */
             if (features != null) {
+
                 Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING);
                 if (temp != null) {
                     boolean value = ((Boolean) temp).booleanValue();
@@ -398,28 +400,42 @@
         private final HashMap fInitFeatures = new HashMap();
         private final HashMap fInitProperties = new HashMap();
         private final SAXParserImpl fSAXParser;
+        private XMLSecurityManager fSecurityManager;
         private XMLSecurityPropertyManager fSecurityPropertyMgr;
 
 
         public JAXPSAXParser() {
-            this(null, null);
+            this(null, null, null);
         }
 
-        JAXPSAXParser(SAXParserImpl saxParser, XMLSecurityPropertyManager spm) {
+        JAXPSAXParser(SAXParserImpl saxParser, XMLSecurityPropertyManager securityPropertyMgr,
+                XMLSecurityManager securityManager) {
             super();
             fSAXParser = saxParser;
-            fSecurityPropertyMgr = spm;
-
+            fSecurityManager = securityManager;
+            fSecurityPropertyMgr = securityPropertyMgr;
             /**
              * This class may be used directly. So initialize the security manager if
              * it is null.
              */
+            if (fSecurityManager == null) {
+                fSecurityManager = new XMLSecurityManager(true);
+                try {
+                    super.setProperty(SECURITY_MANAGER, fSecurityManager);
+                } catch (SAXException e) {
+                    throw new UnsupportedOperationException(
+                    SAXMessageFormatter.formatMessage(fConfiguration.getLocale(),
+                    "property-not-recognized", new Object [] {SECURITY_MANAGER}), e);
+                }
+            }
             if (fSecurityPropertyMgr == null) {
                 fSecurityPropertyMgr = new XMLSecurityPropertyManager();
                 try {
                     super.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
-                } catch (Exception ex) {
-                    //shall not happen
+                } catch (SAXException e) {
+                    throw new UnsupportedOperationException(
+                    SAXMessageFormatter.formatMessage(fConfiguration.getLocale(),
+                    "property-not-recognized", new Object [] {SECURITY_MANAGER}), e);
                 }
             }
         }
@@ -437,7 +453,8 @@
             }
             if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
                 try {
-                    setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
+                    fSecurityManager.setSecureProcessing(value);
+                    setProperty(SECURITY_MANAGER, fSecurityManager);
                 }
                 catch (SAXNotRecognizedException exc) {
                     // If the property is not supported
@@ -473,13 +490,7 @@
                 throw new NullPointerException();
             }
             if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
-                try {
-                    return (super.getProperty(SECURITY_MANAGER) != null);
-                }
-                // If the property is not supported the value must be false.
-                catch (SAXException exc) {
-                    return false;
-                }
+                return fSecurityManager.isSecureProcessing();
             }
             return super.getFeature(name);
         }
@@ -558,17 +569,21 @@
             if (fSAXParser != null && fSAXParser.fSchemaValidator != null) {
                 setSchemaValidatorProperty(name, value);
             }
-            /** Check to see if the property is managed by the property manager **/
-            int index = (fSecurityPropertyMgr != null) ? fSecurityPropertyMgr.getIndex(name) : -1;
-            if (index > -1) {
-                fSecurityPropertyMgr.setValue(index,
-                        XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
-            } else {
-                if (!fInitProperties.containsKey(name)) {
-                    fInitProperties.put(name, super.getProperty(name));
+
+            //check if the property is managed by security manager
+            if (fSecurityManager == null ||
+                    !fSecurityManager.setLimit(name, XMLSecurityManager.State.APIPROPERTY, value)) {
+                //check if the property is managed by security property manager
+                if (fSecurityPropertyMgr == null ||
+                        !fSecurityPropertyMgr.setValue(name, XMLSecurityPropertyManager.State.APIPROPERTY, value)) {
+                    //fall back to the existing property manager
+                    if (!fInitProperties.containsKey(name)) {
+                        fInitProperties.put(name, super.getProperty(name));
+                    }
+                    super.setProperty(name, value);
                 }
-                super.setProperty(name, value);
             }
+
         }
 
         public synchronized Object getProperty(String name)
@@ -581,9 +596,18 @@
                 // JAXP 1.2 support
                 return fSAXParser.schemaLanguage;
             }
-            int index = (fSecurityPropertyMgr != null) ? fSecurityPropertyMgr.getIndex(name) : -1;
-            if (index > -1) {
-                return fSecurityPropertyMgr.getValueByIndex(index);
+
+            /** Check to see if the property is managed by the security manager **/
+            String propertyValue = (fSecurityManager != null) ?
+                    fSecurityManager.getLimitAsString(name) : null;
+            if (propertyValue != null) {
+                return propertyValue;
+            } else {
+                propertyValue = (fSecurityPropertyMgr != null) ?
+                    fSecurityPropertyMgr.getValue(name) : null;
+                if (propertyValue != null) {
+                    return propertyValue;
+                }
             }
 
             return super.getProperty(name);
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/jaxp/validation/StAXValidatorHelper.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/StAXValidatorHelper.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/StAXValidatorHelper.java	Fri Oct 11 19:49:44 2013 +0100
@@ -26,6 +26,7 @@
 package com.sun.org.apache.xerces.internal.jaxp.validation;
 
 import com.sun.org.apache.xerces.internal.impl.Constants;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import java.io.IOException;
 
 import javax.xml.transform.Result;
@@ -73,6 +74,19 @@
                     SAXTransformerFactory tf = fComponentManager.getFeature(Constants.ORACLE_FEATURE_SERVICE_MECHANISM) ?
                                     (SAXTransformerFactory)SAXTransformerFactory.newInstance()
                                     : (SAXTransformerFactory) TransformerFactory.newInstance(DEFAULT_TRANSFORMER_IMPL, StAXValidatorHelper.class.getClassLoader());
+                    XMLSecurityManager securityManager = (XMLSecurityManager)fComponentManager.getProperty(Constants.SECURITY_MANAGER);
+                    if (securityManager != null) {
+                        for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) {
+                            if (securityManager.isSet(limit.ordinal())){
+                                tf.setAttribute(limit.apiProperty(),
+                                        securityManager.getLimitValueAsString(limit));
+                            }
+                        }
+                        if (securityManager.printEntityCountInfo()) {
+                            tf.setAttribute(Constants.JDK_ENTITY_COUNT_INFO, "yes");
+                        }
+                    }
+
                     identityTransformer1 = tf.newTransformer();
                     identityTransformer2 = tf.newTransformerHandler();
                 } catch (TransformerConfigurationException e) {
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java	Fri Oct 11 19:49:44 2013 +0100
@@ -20,28 +20,27 @@
 
 package com.sun.org.apache.xerces.internal.jaxp.validation;
 
-import java.lang.ref.SoftReference;
-import java.io.IOException;
-
-import javax.xml.transform.Result;
-import javax.xml.transform.Source;
-import javax.xml.transform.sax.SAXTransformerFactory;
-import javax.xml.transform.sax.TransformerHandler;
-import javax.xml.transform.stream.StreamSource;
-import javax.xml.transform.stream.StreamResult;
-import javax.xml.transform.TransformerConfigurationException;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.TransformerFactoryConfigurationError;
-import javax.xml.XMLConstants;
-
 import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
 import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
 import com.sun.org.apache.xerces.internal.parsers.XML11Configuration;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParseException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
+import java.io.IOException;
+import java.lang.ref.SoftReference;
+import javax.xml.XMLConstants;
+import javax.xml.transform.Result;
+import javax.xml.transform.Source;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.sax.SAXTransformerFactory;
+import javax.xml.transform.sax.TransformerHandler;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.stream.StreamSource;
 import org.xml.sax.SAXException;
 
 /**
@@ -86,6 +85,11 @@
         Constants.XERCES_PROPERTY_PREFIX + Constants.VALIDATION_MANAGER_PROPERTY;
 
     private static final String DEFAULT_TRANSFORMER_IMPL = "com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl";
+
+    /** Property id: security manager. */
+    private static final String SECURITY_MANAGER =
+        Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
+
     //
     // Data
     //
@@ -165,6 +169,9 @@
 
     private XMLParserConfiguration initialize() {
         XML11Configuration config = new XML11Configuration();
+        if (fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
+            config.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
+        }
         config.setProperty(ENTITY_RESOLVER, fComponentManager.getProperty(ENTITY_RESOLVER));
         config.setProperty(ERROR_HANDLER, fComponentManager.getProperty(ERROR_HANDLER));
         XMLErrorReporter errorReporter = (XMLErrorReporter) fComponentManager.getProperty(ERROR_REPORTER);
@@ -182,6 +189,8 @@
         config.setDTDContentModelHandler(null);
         config.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER,
                 fComponentManager.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER));
+        config.setProperty(Constants.SECURITY_MANAGER,
+                fComponentManager.getProperty(Constants.SECURITY_MANAGER));
         fConfiguration = new SoftReference(config);
         return config;
     }
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -49,11 +49,11 @@
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.URI;
 import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.QName;
@@ -679,10 +679,12 @@
                                     SAXParserFactory.newInstance() : new SAXParserFactoryImpl();
                     spf.setNamespaceAware(true);
                     try {
+                        spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
+                                fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING));
                         reader = spf.newSAXParser().getXMLReader();
                         // If this is a Xerces SAX parser, set the security manager if there is one
                         if (reader instanceof com.sun.org.apache.xerces.internal.parsers.SAXParser) {
-                           SecurityManager securityManager = (SecurityManager) fComponentManager.getProperty(SECURITY_MANAGER);
+                           XMLSecurityManager securityManager = (XMLSecurityManager) fComponentManager.getProperty(SECURITY_MANAGER);
                            if (securityManager != null) {
                                try {
                                    reader.setProperty(SECURITY_MANAGER, securityManager);
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java	Fri Oct 11 19:49:44 2013 +0100
@@ -41,10 +41,10 @@
 import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
 import com.sun.org.apache.xerces.internal.util.SAXInputSource;
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.StAXInputSource;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
@@ -79,7 +79,7 @@
     private static final String XMLGRAMMAR_POOL =
         Constants.XERCES_PROPERTY_PREFIX + Constants.XMLGRAMMAR_POOL_PROPERTY;
 
-    /** Property identifier: SecurityManager. */
+    /** Property identifier: XMLSecurityManager. */
     private static final String SECURITY_MANAGER =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
 
@@ -108,7 +108,7 @@
     private ErrorHandlerWrapper fErrorHandlerWrapper;
 
     /** The SecurityManager. */
-    private SecurityManager fSecurityManager;
+    private XMLSecurityManager fSecurityManager;
 
     /** The Security property manager. */
     private XMLSecurityPropertyManager fSecurityPropertyMgr;
@@ -141,7 +141,7 @@
         fXMLSchemaLoader.setErrorHandler(fErrorHandlerWrapper);
 
         // Enable secure processing feature by default
-        fSecurityManager = new SecurityManager();
+        fSecurityManager = new XMLSecurityManager(true);
         fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
 
         fSecurityPropertyMgr = new XMLSecurityPropertyManager();
@@ -301,7 +301,7 @@
                     "FeatureNameNull", null));
         }
         if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
-            return (fSecurityManager != null);
+            return (fSecurityManager != null && fSecurityManager.isSecureProcessing());
         }
         try {
             return fXMLSchemaLoader.getFeature(name);
@@ -365,17 +365,15 @@
                         SAXMessageFormatter.formatMessage(null,
                         "jaxp-secureprocessing-feature", null));
             }
+
+            fSecurityManager.setSecureProcessing(value);
             if (value) {
-                fSecurityManager = new SecurityManager();
-
                 if (Constants.IS_JDK8_OR_ABOVE) {
                     fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
                             XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
                     fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA,
                             XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
                 }
-            } else {
-                fSecurityManager = null;
             }
 
             fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
@@ -410,9 +408,17 @@
                     "ProperyNameNull", null));
         }
         if (name.equals(SECURITY_MANAGER)) {
-            fSecurityManager = (SecurityManager) object;
+            fSecurityManager = XMLSecurityManager.convert(object, fSecurityManager);
             fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
             return;
+        } else if (name.equals(Constants.XML_SECURITY_PROPERTY_MANAGER)) {
+            if (object == null) {
+                fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+            } else {
+                fSecurityPropertyMgr = (XMLSecurityPropertyManager)object;
+            }
+            fXMLSchemaLoader.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
+            return;
         }
         else if (name.equals(XMLGRAMMAR_POOL)) {
             throw new SAXNotSupportedException(
@@ -420,12 +426,15 @@
                     "property-not-supported", new Object [] {name}));
         }
         try {
-            int index = fSecurityPropertyMgr.getIndex(name);
-            if (index > -1) {
-                fSecurityPropertyMgr.setValue(index,
-                        XMLSecurityPropertyManager.State.APIPROPERTY, (String)object);
-            } else {
-                fXMLSchemaLoader.setProperty(name, object);
+            //check if the property is managed by security manager
+            if (fSecurityManager == null ||
+                    !fSecurityManager.setLimit(name, XMLSecurityManager.State.APIPROPERTY, object)) {
+                //check if the property is managed by security property manager
+                if (fSecurityPropertyMgr == null ||
+                        !fSecurityPropertyMgr.setValue(name, XMLSecurityPropertyManager.State.APIPROPERTY, object)) {
+                    //fall back to the existing property manager
+                    fXMLSchemaLoader.setProperty(name, object);
+                }
             }
         }
         catch (XMLConfigurationException e) {
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -39,10 +39,10 @@
 import com.sun.org.apache.xerces.internal.util.NamespaceSupport;
 import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
 import com.sun.org.apache.xerces.internal.util.PropertyState;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
@@ -181,7 +181,7 @@
     private final HashMap fInitProperties = new HashMap();
 
     /** Stores the initial security manager. */
-    private final SecurityManager fInitSecurityManager;
+    private XMLSecurityManager fInitSecurityManager;
 
     /** Stores the initial security property manager. */
     private final XMLSecurityPropertyManager fSecurityPropertyMgr;
@@ -221,12 +221,6 @@
         fComponents.put(ENTITY_RESOLVER, null);
         fComponents.put(ERROR_HANDLER, null);
 
-        if (System.getSecurityManager() != null) {
-            _isSecureMode = true;
-            setProperty(SECURITY_MANAGER, new SecurityManager());
-        } else {
-            fComponents.put(SECURITY_MANAGER, null);
-        }
         fComponents.put(SYMBOL_TABLE, new SymbolTable());
 
         // setup grammar pool
@@ -241,15 +235,21 @@
         addRecognizedParamsAndSetDefaults(fErrorReporter, grammarContainer);
         addRecognizedParamsAndSetDefaults(fSchemaValidator, grammarContainer);
 
-        // if the secure processing feature is set to true, add a security manager to the configuration
-        Boolean secureProcessing = grammarContainer.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING);
-        if (Boolean.TRUE.equals(secureProcessing)) {
-            fInitSecurityManager = new SecurityManager();
+        boolean secureProcessing = grammarContainer.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING);
+        if (System.getSecurityManager() != null) {
+            _isSecureMode = true;
+            secureProcessing = true;
         }
-        else {
-            fInitSecurityManager = null;
+
+        fInitSecurityManager = (XMLSecurityManager)
+                grammarContainer.getProperty(SECURITY_MANAGER);
+        if (fInitSecurityManager != null ) {
+            fInitSecurityManager.setSecureProcessing(secureProcessing);
+        } else {
+            fInitSecurityManager = new XMLSecurityManager(secureProcessing);
         }
-        fComponents.put(SECURITY_MANAGER, fInitSecurityManager);
+
+        setProperty(SECURITY_MANAGER, fInitSecurityManager);
 
         //pass on properties set on SchemaFactory
         fSecurityPropertyMgr = (XMLSecurityPropertyManager)
@@ -281,7 +281,7 @@
             return FeatureState.is(fUseGrammarPoolOnly);
         }
         else if (XMLConstants.FEATURE_SECURE_PROCESSING.equals(featureId)) {
-            return FeatureState.is(getProperty(SECURITY_MANAGER) != null);
+            return FeatureState.is(fInitSecurityManager.isSecureProcessing());
         }
         else if (SCHEMA_ELEMENT_DEFAULT.equals(featureId)) {
             return FeatureState.is(true); //pre-condition: VALIDATION and SCHEMA_VALIDATION are always true
@@ -311,7 +311,9 @@
             if (_isSecureMode && !value) {
                 throw new XMLConfigurationException(Status.NOT_ALLOWED, XMLConstants.FEATURE_SECURE_PROCESSING);
             }
-            setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
+
+            fInitSecurityManager.setSecureProcessing(value);
+            setProperty(SECURITY_MANAGER, fInitSecurityManager);
 
             if (value && Constants.IS_JDK8_OR_ABOVE) {
                 fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
@@ -390,10 +392,19 @@
             fComponents.put(propertyId, value);
             return;
         }
-        if (!fInitProperties.containsKey(propertyId)) {
-            fInitProperties.put(propertyId, super.getProperty(propertyId));
+        //check if the property is managed by security manager
+        if (fInitSecurityManager == null ||
+                !fInitSecurityManager.setLimit(propertyId, XMLSecurityManager.State.APIPROPERTY, value)) {
+            //check if the property is managed by security property manager
+            if (fSecurityPropertyMgr == null ||
+                    !fSecurityPropertyMgr.setValue(propertyId, XMLSecurityPropertyManager.State.APIPROPERTY, value)) {
+                //fall back to the existing property manager
+                if (!fInitProperties.containsKey(propertyId)) {
+                    fInitProperties.put(propertyId, super.getProperty(propertyId));
+                }
+                super.setProperty(propertyId, value);
+            }
         }
-        super.setProperty(propertyId, value);
     }
 
     /**
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java
--- a/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java	Fri Oct 11 19:49:44 2013 +0100
@@ -20,18 +20,15 @@
 
 package com.sun.org.apache.xerces.internal.parsers;
 
-import java.io.IOException;
-import java.util.Locale;
-
 import com.sun.org.apache.xerces.internal.impl.Constants;
-import com.sun.org.apache.xerces.internal.util.Status;
-import com.sun.org.apache.xerces.internal.xs.PSVIProvider;
+import com.sun.org.apache.xerces.internal.util.EntityResolver2Wrapper;
 import com.sun.org.apache.xerces.internal.util.EntityResolverWrapper;
-import com.sun.org.apache.xerces.internal.util.EntityResolver2Wrapper;
 import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
+import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolHash;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.QName;
@@ -48,15 +45,17 @@
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
 import com.sun.org.apache.xerces.internal.xs.AttributePSVI;
 import com.sun.org.apache.xerces.internal.xs.ElementPSVI;
+import com.sun.org.apache.xerces.internal.xs.PSVIProvider;
+import java.io.IOException;
+import java.util.Locale;
+import javax.xml.XMLConstants;
 import org.xml.sax.AttributeList;
-import org.xml.sax.Attributes;
 import org.xml.sax.ContentHandler;
 import org.xml.sax.DTDHandler;
 import org.xml.sax.DocumentHandler;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.ErrorHandler;
 import org.xml.sax.InputSource;
-import org.xml.sax.Locator;
 import org.xml.sax.Parser;
 import org.xml.sax.SAXException;
 import org.xml.sax.SAXNotRecognizedException;
@@ -131,6 +130,10 @@
     protected static final String DOM_NODE =
         Constants.SAX_PROPERTY_PREFIX + Constants.DOM_NODE_PROPERTY;
 
+    /** Property id: security manager. */
+    private static final String SECURITY_MANAGER =
+        Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
+
     /** Recognized properties. */
     private static final String[] RECOGNIZED_PROPERTIES = {
         LEXICAL_HANDLER,
@@ -1645,19 +1648,13 @@
                 // Drop through and perform default processing
                 //
             }
-
-            //
-            // Xerces Features
-            //
-
-            /*
-            else if (featureId.startsWith(XERCES_FEATURES_PREFIX)) {
-                String feature = featureId.substring(XERCES_FEATURES_PREFIX.length());
-                //
-                // Drop through and perform default processing
-                //
+            else if (featureId.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
+                if (state) {
+                    if (fConfiguration.getProperty(SECURITY_MANAGER )==null) {
+                        fConfiguration.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
+                    }
+                }
             }
-            */
 
             //
             // Default handling
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/parsers/DOMParser.java
--- a/src/com/sun/org/apache/xerces/internal/parsers/DOMParser.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/parsers/DOMParser.java	Fri Oct 11 19:49:44 2013 +0100
@@ -29,6 +29,7 @@
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
@@ -531,7 +532,54 @@
      */
     public void setProperty(String propertyId, Object value)
         throws SAXNotRecognizedException, SAXNotSupportedException {
+        /**
+         * It's possible for users to set a security manager through the interface.
+         * If it's the old SecurityManager, convert it to the new XMLSecurityManager
+         */
+        if (propertyId.equals(Constants.SECURITY_MANAGER)) {
+            securityManager = XMLSecurityManager.convert(value, securityManager);
+            setProperty0(Constants.SECURITY_MANAGER, securityManager);
+            return;
+        }
+        if (propertyId.equals(Constants.XML_SECURITY_PROPERTY_MANAGER)) {
+            if (value == null) {
+                securityPropertyManager = new XMLSecurityPropertyManager();
+            } else {
+                securityPropertyManager = (XMLSecurityPropertyManager)value;
+            }
+            setProperty0(Constants.XML_SECURITY_PROPERTY_MANAGER, securityPropertyManager);
+            return;
+        }
 
+        if (securityManager == null) {
+            securityManager = new XMLSecurityManager(true);
+            setProperty0(Constants.SECURITY_MANAGER, securityManager);
+        }
+
+        if (securityPropertyManager == null) {
+            securityPropertyManager = new XMLSecurityPropertyManager();
+            setProperty0(Constants.XML_SECURITY_PROPERTY_MANAGER, securityPropertyManager);
+        }
+        int index = securityPropertyManager.getIndex(propertyId);
+
+        if (index > -1) {
+            /**
+             * this is a direct call to this parser, not a subclass since
+             * internally the support of this property is done through
+             * XMLSecurityPropertyManager
+             */
+            securityPropertyManager.setValue(index, XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
+        } else {
+            //check if the property is managed by security manager
+            if (!securityManager.setLimit(propertyId, XMLSecurityManager.State.APIPROPERTY, value)) {
+                //fall back to the default configuration to handle the property
+                setProperty0(propertyId, value);
+            }
+        }
+    }
+
+    public void setProperty0(String propertyId, Object value)
+        throws SAXNotRecognizedException, SAXNotSupportedException {
         try {
             fConfiguration.setProperty(propertyId, value);
         }
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/parsers/DTDConfiguration.java
--- a/src/com/sun/org/apache/xerces/internal/parsers/DTDConfiguration.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/parsers/DTDConfiguration.java	Fri Oct 11 19:49:44 2013 +0100
@@ -185,9 +185,12 @@
     protected static final String LOCALE =
         Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY;
 
-    /** Property identifier: Security property manager. */
-    protected static final String XML_SECURITY_PROPERTY_MANAGER =
-            Constants.XML_SECURITY_PROPERTY_MANAGER;
+      /** Property identifier: Security property manager. */
+      protected static final String XML_SECURITY_PROPERTY_MANAGER =
+              Constants.XML_SECURITY_PROPERTY_MANAGER;
+
+     /** Property identifier: Security manager. */
+     private static final String SECURITY_MANAGER = Constants.SECURITY_MANAGER;
 
     // debugging
 
@@ -334,6 +337,7 @@
             JAXP_SCHEMA_SOURCE,
             JAXP_SCHEMA_LANGUAGE,
             LOCALE,
+            SECURITY_MANAGER,
             XML_SECURITY_PROPERTY_MANAGER
         };
         addRecognizedProperties(recognizedProperties);
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/parsers/NonValidatingConfiguration.java
--- a/src/com/sun/org/apache/xerces/internal/parsers/NonValidatingConfiguration.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/parsers/NonValidatingConfiguration.java	Fri Oct 11 19:49:44 2013 +0100
@@ -158,9 +158,12 @@
     protected static final String LOCALE =
         Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY;
 
-    /** Property identifier: Security property manager. */
-    protected static final String XML_SECURITY_PROPERTY_MANAGER =
-            Constants.XML_SECURITY_PROPERTY_MANAGER;
+      /** Property identifier: Security property manager. */
+      protected static final String XML_SECURITY_PROPERTY_MANAGER =
+              Constants.XML_SECURITY_PROPERTY_MANAGER;
+
+     /** Property identifier: Security manager. */
+     private static final String SECURITY_MANAGER = Constants.SECURITY_MANAGER;
 
     // debugging
 
@@ -316,6 +319,7 @@
             DATATYPE_VALIDATOR_FACTORY,
             VALIDATION_MANAGER,
             LOCALE,
+            SECURITY_MANAGER,
             XML_SECURITY_PROPERTY_MANAGER
         };
         addRecognizedProperties(recognizedProperties);
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java
--- a/src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java	Fri Oct 11 19:49:44 2013 +0100
@@ -22,6 +22,7 @@
 
 import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
@@ -76,7 +77,7 @@
         XMLGRAMMAR_POOL,
     };
 
-    XMLSecurityPropertyManager securityPropertyManager;
+
     //
     // Constructors
     //
@@ -130,11 +131,36 @@
      */
     public void setProperty(String name, Object value)
         throws SAXNotRecognizedException, SAXNotSupportedException {
+        /**
+         * It's possible for users to set a security manager through the interface.
+         * If it's the old SecurityManager, convert it to the new XMLSecurityManager
+         */
+        if (name.equals(Constants.SECURITY_MANAGER)) {
+            securityManager = XMLSecurityManager.convert(value, securityManager);
+            super.setProperty(Constants.SECURITY_MANAGER, securityManager);
+            return;
+        }
+        if (name.equals(Constants.XML_SECURITY_PROPERTY_MANAGER)) {
+            if (value == null) {
+                securityPropertyManager = new XMLSecurityPropertyManager();
+            } else {
+                securityPropertyManager = (XMLSecurityPropertyManager)value;
+            }
+            super.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, securityPropertyManager);
+            return;
+        }
+
+        if (securityManager == null) {
+            securityManager = new XMLSecurityManager(true);
+            super.setProperty(Constants.SECURITY_MANAGER, securityManager);
+        }
+
         if (securityPropertyManager == null) {
             securityPropertyManager = new XMLSecurityPropertyManager();
+            super.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, securityPropertyManager);
         }
+
         int index = securityPropertyManager.getIndex(name);
-
         if (index > -1) {
             /**
              * this is a direct call to this parser, not a subclass since
@@ -142,9 +168,12 @@
              * XMLSecurityPropertyManager
              */
             securityPropertyManager.setValue(index, XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
-            super.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, securityPropertyManager);
         } else {
-            super.setProperty(name, value);
+            //check if the property is managed by security manager
+            if (!securityManager.setLimit(name, XMLSecurityManager.State.APIPROPERTY, value)) {
+                //fall back to the default configuration to handle the property
+                super.setProperty(name, value);
+            }
         }
     }
 } // class SAXParser
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java
--- a/src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java	Fri Oct 11 19:49:44 2013 +0100
@@ -23,8 +23,8 @@
 import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 
 /**
  * This configuration allows Xerces to behave in a security-conscious manner; that is,
@@ -44,6 +44,7 @@
  *
  * @author Neil Graham, IBM
  *
+ * @version $Id: SecurityConfiguration.java,v 1.6 2010-11-01 04:40:09 joehw Exp $
  */
 public class SecurityConfiguration extends XIncludeAwareParserConfiguration
 {
@@ -107,7 +108,7 @@
         super(symbolTable, grammarPool, parentSettings);
 
         // create the SecurityManager property:
-        setProperty(SECURITY_MANAGER_PROPERTY, new SecurityManager());
+        setProperty(SECURITY_MANAGER_PROPERTY, new XMLSecurityManager(true));
     } // (SymbolTable,XMLGrammarPool)
 
 } // class SecurityConfiguration
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java
--- a/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java	Fri Oct 11 19:49:44 2013 +0100
@@ -52,6 +52,7 @@
 import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
 import com.sun.org.apache.xerces.internal.util.PropertyState;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler;
 import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler;
@@ -279,6 +280,8 @@
     private static final String XML_SECURITY_PROPERTY_MANAGER =
             Constants.XML_SECURITY_PROPERTY_MANAGER;
 
+    /** Property identifier: Security manager. */
+    private static final String SECURITY_MANAGER = Constants.SECURITY_MANAGER;
 
     // debugging
 
@@ -449,26 +452,26 @@
         XMLGrammarPool grammarPool,
         XMLComponentManager parentSettings) {
 
-                super(parentSettings);
+        super(parentSettings);
 
-                // create a vector to hold all the components in use
-                // XML 1.0 specialized components
-                fComponents = new ArrayList();
-                // XML 1.1 specialized components
-                fXML11Components = new ArrayList();
-                // Common components for XML 1.1. and XML 1.0
-                fCommonComponents = new ArrayList();
+        // create a vector to hold all the components in use
+        // XML 1.0 specialized components
+        fComponents = new ArrayList();
+        // XML 1.1 specialized components
+        fXML11Components = new ArrayList();
+        // Common components for XML 1.1. and XML 1.0
+        fCommonComponents = new ArrayList();
 
-                // create table for features and properties
-                fFeatures = new HashMap();
-                fProperties = new HashMap();
+        // create table for features and properties
+        fFeatures = new HashMap();
+        fProperties = new HashMap();
 
         // add default recognized features
         final String[] recognizedFeatures =
             {
                 CONTINUE_AFTER_FATAL_ERROR, LOAD_EXTERNAL_DTD, // from XMLDTDScannerImpl
-                                VALIDATION,
-                                NAMESPACES,
+                VALIDATION,
+                NAMESPACES,
                 NORMALIZE_DATA, SCHEMA_ELEMENT_DEFAULT, SCHEMA_AUGMENT_PSVI,
                 GENERATE_SYNTHETIC_ANNOTATIONS, VALIDATE_ANNOTATIONS,
                 HONOUR_ALL_SCHEMALOCATIONS, NAMESPACE_GROWTH,
@@ -479,47 +482,47 @@
                 //       features might not have been set and it would cause a
                 //       not-recognized exception to be thrown. -Ac
                 XMLSCHEMA_VALIDATION, XMLSCHEMA_FULL_CHECKING,
-                                EXTERNAL_GENERAL_ENTITIES,
-                                EXTERNAL_PARAMETER_ENTITIES,
-                                PARSER_SETTINGS,
-                                XMLConstants.FEATURE_SECURE_PROCESSING
+                EXTERNAL_GENERAL_ENTITIES,
+                EXTERNAL_PARAMETER_ENTITIES,
+                PARSER_SETTINGS,
+                XMLConstants.FEATURE_SECURE_PROCESSING
                         };
         addRecognizedFeatures(recognizedFeatures);
-                // set state for default features
-                fFeatures.put(VALIDATION, Boolean.FALSE);
-                fFeatures.put(NAMESPACES, Boolean.TRUE);
-                fFeatures.put(EXTERNAL_GENERAL_ENTITIES, Boolean.TRUE);
-                fFeatures.put(EXTERNAL_PARAMETER_ENTITIES, Boolean.TRUE);
-                fFeatures.put(CONTINUE_AFTER_FATAL_ERROR, Boolean.FALSE);
-                fFeatures.put(LOAD_EXTERNAL_DTD, Boolean.TRUE);
-                fFeatures.put(SCHEMA_ELEMENT_DEFAULT, Boolean.TRUE);
-                fFeatures.put(NORMALIZE_DATA, Boolean.TRUE);
-                fFeatures.put(SCHEMA_AUGMENT_PSVI, Boolean.TRUE);
-                fFeatures.put(GENERATE_SYNTHETIC_ANNOTATIONS, Boolean.FALSE);
-                fFeatures.put(VALIDATE_ANNOTATIONS, Boolean.FALSE);
-                fFeatures.put(HONOUR_ALL_SCHEMALOCATIONS, Boolean.FALSE);
-                fFeatures.put(NAMESPACE_GROWTH, Boolean.FALSE);
-                fFeatures.put(TOLERATE_DUPLICATES, Boolean.FALSE);
-                fFeatures.put(USE_GRAMMAR_POOL_ONLY, Boolean.FALSE);
-                fFeatures.put(PARSER_SETTINGS, Boolean.TRUE);
-                fFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        // set state for default features
+        fFeatures.put(VALIDATION, Boolean.FALSE);
+        fFeatures.put(NAMESPACES, Boolean.TRUE);
+        fFeatures.put(EXTERNAL_GENERAL_ENTITIES, Boolean.TRUE);
+        fFeatures.put(EXTERNAL_PARAMETER_ENTITIES, Boolean.TRUE);
+        fFeatures.put(CONTINUE_AFTER_FATAL_ERROR, Boolean.FALSE);
+        fFeatures.put(LOAD_EXTERNAL_DTD, Boolean.TRUE);
+        fFeatures.put(SCHEMA_ELEMENT_DEFAULT, Boolean.TRUE);
+        fFeatures.put(NORMALIZE_DATA, Boolean.TRUE);
+        fFeatures.put(SCHEMA_AUGMENT_PSVI, Boolean.TRUE);
+        fFeatures.put(GENERATE_SYNTHETIC_ANNOTATIONS, Boolean.FALSE);
+        fFeatures.put(VALIDATE_ANNOTATIONS, Boolean.FALSE);
+        fFeatures.put(HONOUR_ALL_SCHEMALOCATIONS, Boolean.FALSE);
+        fFeatures.put(NAMESPACE_GROWTH, Boolean.FALSE);
+        fFeatures.put(TOLERATE_DUPLICATES, Boolean.FALSE);
+        fFeatures.put(USE_GRAMMAR_POOL_ONLY, Boolean.FALSE);
+        fFeatures.put(PARSER_SETTINGS, Boolean.TRUE);
+        fFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
 
         // add default recognized properties
         final String[] recognizedProperties =
             {
-                SYMBOL_TABLE,
-                ERROR_HANDLER,
-                ENTITY_RESOLVER,
+                                SYMBOL_TABLE,
+                                ERROR_HANDLER,
+                                ENTITY_RESOLVER,
                 ERROR_REPORTER,
                 ENTITY_MANAGER,
                 DOCUMENT_SCANNER,
                 DTD_SCANNER,
                 DTD_PROCESSOR,
                 DTD_VALIDATOR,
-                DATATYPE_VALIDATOR_FACTORY,
-                VALIDATION_MANAGER,
-                SCHEMA_VALIDATOR,
-                XML_STRING,
+                                DATATYPE_VALIDATOR_FACTORY,
+                                VALIDATION_MANAGER,
+                                SCHEMA_VALIDATOR,
+                                XML_STRING,
                 XMLGRAMMAR_POOL,
                 JAXP_SCHEMA_SOURCE,
                 JAXP_SCHEMA_LANGUAGE,
@@ -531,19 +534,20 @@
                 SCHEMA_NONS_LOCATION,
                 LOCALE,
                 SCHEMA_DV_FACTORY,
+                SECURITY_MANAGER,
                 XML_SECURITY_PROPERTY_MANAGER
         };
         addRecognizedProperties(recognizedProperties);
 
-        if (symbolTable == null) {
-                symbolTable = new SymbolTable();
-        }
-        fSymbolTable = symbolTable;
-        fProperties.put(SYMBOL_TABLE, fSymbolTable);
+                if (symbolTable == null) {
+                        symbolTable = new SymbolTable();
+                }
+                fSymbolTable = symbolTable;
+                fProperties.put(SYMBOL_TABLE, fSymbolTable);
 
         fGrammarPool = grammarPool;
         if (fGrammarPool != null) {
-            fProperties.put(XMLGRAMMAR_POOL, fGrammarPool);
+                        fProperties.put(XMLGRAMMAR_POOL, fGrammarPool);
         }
 
         fEntityManager = new XMLEntityManager();
@@ -579,8 +583,6 @@
 
         fVersionDetector = new XMLVersionDetector();
 
-        fProperties.put(XML_SECURITY_PROPERTY_MANAGER, new XMLSecurityPropertyManager());
-
         // add message formatters
         if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) {
             XMLMessageFormatter xmft = new XMLMessageFormatter();
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/parsers/XMLParser.java
--- a/src/com/sun/org/apache/xerces/internal/parsers/XMLParser.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/parsers/XMLParser.java	Fri Oct 11 19:49:44 2013 +0100
@@ -23,6 +23,8 @@
 import java.io.IOException;
 
 import com.sun.org.apache.xerces.internal.impl.Constants;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
@@ -78,6 +80,13 @@
     /** The parser configuration. */
     protected XMLParserConfiguration fConfiguration;
 
+    /** The XML Security Manager. */
+    XMLSecurityManager securityManager;
+
+    /** The XML Security Property Manager. */
+    XMLSecurityPropertyManager securityPropertyManager;
+
+
     //
     // Constructors
     //
@@ -118,6 +127,15 @@
      */
     public void parse(XMLInputSource inputSource)
         throws XNIException, IOException {
+        // null indicates that the parser is called directly, initialize them
+        if (securityManager == null) {
+            securityManager = new XMLSecurityManager(true);
+            fConfiguration.setProperty(Constants.SECURITY_MANAGER, securityManager);
+        }
+        if (securityPropertyManager == null) {
+            securityPropertyManager = new XMLSecurityPropertyManager();
+            fConfiguration.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, securityPropertyManager);
+        }
 
         reset();
         fConfiguration.parse(inputSource);
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/util/SecurityManager.java
--- a/src/com/sun/org/apache/xerces/internal/util/SecurityManager.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/util/SecurityManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -61,8 +61,6 @@
 
 package com.sun.org.apache.xerces.internal.util;
 import com.sun.org.apache.xerces.internal.impl.Constants;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 /**
  * This class is a container for parser settings that relate to
  * security, or more specifically, it is intended to be used to prevent denial-of-service
@@ -79,7 +77,6 @@
  *
  * @author  Neil Graham, IBM
  *
- * @version $Id: SecurityManager.java,v 1.5 2010-11-01 04:40:14 joehw Exp $
  */
 public final class SecurityManager {
 
@@ -179,48 +176,40 @@
 
         private void readSystemProperties(){
 
-            //TODO: also read SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT
-            try {
-                    String value = getSystemProperty(Constants.ENTITY_EXPANSION_LIMIT);
-                    if(value != null && !value.equals("")){
-                            entityExpansionLimit = Integer.parseInt(value);
-                            if (entityExpansionLimit < 0)
-                                    entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
-                    }
-                    else
-                            entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
-            }catch(Exception ex){}
+                try {
+                        String value = System.getProperty(Constants.ENTITY_EXPANSION_LIMIT);
+                        if(value != null && !value.equals("")){
+                                entityExpansionLimit = Integer.parseInt(value);
+                                if (entityExpansionLimit < 0)
+                                        entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
+                        }
+                        else
+                                entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
+                }catch(Exception ex){}
 
-            try {
-                    String value = getSystemProperty(Constants.MAX_OCCUR_LIMIT);
-                    if(value != null && !value.equals("")){
-                            maxOccurLimit = Integer.parseInt(value);
-                            if (maxOccurLimit < 0)
-                                    maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
-                    }
-                    else
-                            maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
-            }catch(Exception ex){}
+                try {
+                        String value = System.getProperty(Constants.MAX_OCCUR_LIMIT);
+                        if(value != null && !value.equals("")){
+                                maxOccurLimit = Integer.parseInt(value);
+                                if (maxOccurLimit < 0)
+                                        maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
+                        }
+                        else
+                                maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
+                }catch(Exception ex){}
 
-            try {
-                    String value = getSystemProperty(Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT);
-                    if(value != null && !value.equals("")){
-                            fElementAttributeLimit = Integer.parseInt(value);
-                            if ( fElementAttributeLimit < 0)
-                                    fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
-                    }
-                    else
-                            fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
+                try {
+                        String value = System.getProperty(Constants.ELEMENT_ATTRIBUTE_LIMIT);
+                        if(value != null && !value.equals("")){
+                                fElementAttributeLimit = Integer.parseInt(value);
+                                if ( fElementAttributeLimit < 0)
+                                        fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
+                        }
+                        else
+                                fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
 
                 }catch(Exception ex){}
 
         }
 
-    private String getSystemProperty(final String propName) {
-        return AccessController.doPrivileged(new PrivilegedAction() {
-            public String run() {
-                return System.getProperty(propName);
-            }
-        });
-    }
 } // class SecurityManager
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/util/SymbolTable.java
--- a/src/com/sun/org/apache/xerces/internal/util/SymbolTable.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/util/SymbolTable.java	Fri Oct 11 19:49:44 2013 +0100
@@ -173,7 +173,7 @@
         for (int i = 0; i < length; i++) {
             code = code * 37 + symbol.charAt(i);
         }
-        return code & 0x7FFFFFF;
+        return code & 0x7FFFFFFF;
 
     } // hash(String):int
 
@@ -194,7 +194,7 @@
         for (int i = 0; i < length; i++) {
             code = code * 37 + buffer[offset + i];
         }
-        return code & 0x7FFFFFF;
+        return code & 0x7FFFFFFF;
 
     } // hash(char[],int,int):int
 
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/utils/XMLLimitAnalyzer.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/com/sun/org/apache/xerces/internal/utils/XMLLimitAnalyzer.java	Fri Oct 11 19:49:44 2013 +0100
@@ -0,0 +1,239 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package com.sun.org.apache.xerces.internal.utils;
+
+import com.sun.org.apache.xerces.internal.impl.Constants;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit;
+import java.util.Formatter;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * A helper for analyzing entity expansion limits
+ *
+ * @author Joe Wang Oracle Corp.
+ *
+ */
+public final class XMLLimitAnalyzer {
+
+    /**
+     * Map old property names with the new ones
+     */
+    public static enum NameMap {
+        ENTITY_EXPANSION_LIMIT(Constants.SP_ENTITY_EXPANSION_LIMIT, Constants.ENTITY_EXPANSION_LIMIT),
+        MAX_OCCUR_NODE_LIMIT(Constants.SP_MAX_OCCUR_LIMIT, Constants.MAX_OCCUR_LIMIT),
+        ELEMENT_ATTRIBUTE_LIMIT(Constants.SP_ELEMENT_ATTRIBUTE_LIMIT, Constants.ELEMENT_ATTRIBUTE_LIMIT);
+
+        final String newName;
+        final String oldName;
+
+        NameMap(String newName, String oldName) {
+            this.newName = newName;
+            this.oldName = oldName;
+        }
+
+        String getOldName(String newName) {
+            if (newName.equals(this.newName)) {
+                return oldName;
+            }
+            return null;
+        }
+    }
+
+    private XMLSecurityManager securityManager;
+    /**
+     * Max value accumulated for each property
+     */
+    private final int[] values;
+    /**
+     * Names of the entities corresponding to their max values
+     */
+    private final String[] names;
+    /**
+     * Total value of accumulated entities
+     */
+    private final int[] totalValue;
+
+    /**
+     * Maintain values of the top 10 elements in the process of parsing
+     */
+    private final Map[] caches;
+
+    private String entityStart, entityEnd;
+    /**
+     * Default constructor. Establishes default values for known security
+     * vulnerabilities.
+     */
+    public XMLLimitAnalyzer(XMLSecurityManager securityManager) {
+        this.securityManager = securityManager;
+        values = new int[Limit.values().length];
+        totalValue = new int[Limit.values().length];
+        names = new String[Limit.values().length];
+        caches = new Map[Limit.values().length];
+    }
+
+    /**
+     * Add the value to the current max count for the specified property
+     * To find the max value of all entities, set no limit
+     *
+     * @param limit the type of the property
+     * @param entityName the name of the entity
+     * @param value the value of the entity
+     */
+    public void addValue(Limit limit, String entityName, int value) {
+        addValue(limit.ordinal(), entityName, value);
+    }
+
+    /**
+     * Add the value to the current count by the index of the property
+     * @param index the index of the property
+     * @param entityName the name of the entity
+     * @param value the value of the entity
+     */
+    public void addValue(int index, String entityName, int value) {
+        if (index == Limit.ENTITY_EXPANSION_LIMIT.ordinal() ||
+                index == Limit.MAX_OCCUR_NODE_LIMIT.ordinal() ||
+                index == Limit.ELEMENT_ATTRIBUTE_LIMIT.ordinal()) {
+            totalValue[index] += value;
+            return;
+        }
+
+        Map cache;
+        if (caches[index] == null) {
+            cache = new HashMap(10);
+            caches[index] = cache;
+        } else {
+            cache = caches[index];
+        }
+
+        int accumulatedValue = value;
+        if (cache.containsKey(entityName)) {
+            accumulatedValue += cache.get(entityName).intValue();
+            cache.put(entityName, Integer.valueOf(accumulatedValue));
+        } else {
+            cache.put(entityName, Integer.valueOf(value));
+        }
+
+        if (accumulatedValue > values[index]) {
+            values[index] = accumulatedValue;
+            names[index] = entityName;
+        }
+
+
+        if (index == Limit.GENEAL_ENTITY_SIZE_LIMIT.ordinal() ||
+                index == Limit.PARAMETER_ENTITY_SIZE_LIMIT.ordinal()) {
+            totalValue[Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()] += value;
+        }
+    }
+
+    /**
+     * Return the value of the current max count for the specified property
+     *
+     * @param limit the property
+     * @return the value of the property
+     */
+    public int getValue(Limit limit) {
+        return values[limit.ordinal()];
+    }
+
+    public int getValue(int index) {
+        return values[index];
+    }
+    /**
+     * Return the total value accumulated so far
+     *
+     * @param limit the property
+     * @return the accumulated value of the property
+     */
+    public int getTotalValue(Limit limit) {
+        return totalValue[limit.ordinal()];
+    }
+
+    public int getTotalValue(int index) {
+        return totalValue[index];
+    }
+    /**
+     * Return the current max value (count or length) by the index of a property
+     * @param index the index of a property
+     * @return count of a property
+     */
+    public int getValueByIndex(int index) {
+        return values[index];
+    }
+
+    public void startEntity(String name) {
+        entityStart = name;
+    }
+
+    public boolean isTracking(String name) {
+        if (entityStart == null) {
+            return false;
+        }
+        return entityStart.equals(name);
+    }
+    /**
+     * Stop tracking the entity
+     * @param limit the limit property
+     * @param name the name of an entity
+     */
+    public void endEntity(Limit limit, String name) {
+        entityStart = "";
+        Map cache = caches[limit.ordinal()];
+        if (cache != null) {
+            cache.remove(name);
+        }
+    }
+
+    public void debugPrint() {
+        Formatter formatter = new Formatter();
+        System.out.println(formatter.format("%30s %15s %15s %15s %30s",
+                "Property","Limit","Total size","Size","Entity Name"));
+
+        for (Limit limit : Limit.values()) {
+            formatter = new Formatter();
+            System.out.println(formatter.format("%30s %15d %15d %15d %30s",
+                    limit.name(),
+                    securityManager.getLimit(limit),
+                    totalValue[limit.ordinal()],
+                    values[limit.ordinal()],
+                    names[limit.ordinal()]));
+        }
+    }
+}
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -0,0 +1,555 @@
+/*
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.sun.org.apache.xerces.internal.utils;
+
+import com.sun.org.apache.xerces.internal.impl.Constants;
+import com.sun.org.apache.xerces.internal.util.SecurityManager;
+
+/**
+ * This class manages standard and implementation-specific limitations.
+ *
+ */
+public final class XMLSecurityManager {
+
+    /**
+     * States of the settings of a property, in the order: default value, value
+     * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
+     * properties, and jaxp api properties
+     */
+    public static enum State {
+        //this order reflects the overriding order
+
+        DEFAULT("default"), FSP("FEATURE_SECURE_PROCESSING"),
+        JAXPDOTPROPERTIES("jaxp.properties"), SYSTEMPROPERTY("system property"),
+        APIPROPERTY("property");
+
+        final String literal;
+        State(String literal) {
+            this.literal = literal;
+        }
+
+        String literal() {
+            return literal;
+        }
+    }
+
+    /**
+     * Limits managed by the security manager
+     */
+    public static enum Limit {
+
+        ENTITY_EXPANSION_LIMIT(Constants.JDK_ENTITY_EXPANSION_LIMIT, Constants.SP_ENTITY_EXPANSION_LIMIT, 0, 64000),
+        MAX_OCCUR_NODE_LIMIT(Constants.JDK_MAX_OCCUR_LIMIT, Constants.SP_MAX_OCCUR_LIMIT, 0, 5000),
+        ELEMENT_ATTRIBUTE_LIMIT(Constants.JDK_ELEMENT_ATTRIBUTE_LIMIT, Constants.SP_ELEMENT_ATTRIBUTE_LIMIT, 0, 10000),
+        TOTAL_ENTITY_SIZE_LIMIT(Constants.JDK_TOTAL_ENTITY_SIZE_LIMIT, Constants.SP_TOTAL_ENTITY_SIZE_LIMIT, 0, 50000000),
+        GENEAL_ENTITY_SIZE_LIMIT(Constants.JDK_GENEAL_ENTITY_SIZE_LIMIT, Constants.SP_GENEAL_ENTITY_SIZE_LIMIT, 0, 0),
+        PARAMETER_ENTITY_SIZE_LIMIT(Constants.JDK_PARAMETER_ENTITY_SIZE_LIMIT, Constants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000);
+
+        final String apiProperty;
+        final String systemProperty;
+        final int defaultValue;
+        final int secureValue;
+
+        Limit(String apiProperty, String systemProperty, int value, int secureValue) {
+            this.apiProperty = apiProperty;
+            this.systemProperty = systemProperty;
+            this.defaultValue = value;
+            this.secureValue = secureValue;
+        }
+
+        public boolean equalsAPIPropertyName(String propertyName) {
+            return (propertyName == null) ? false : apiProperty.equals(propertyName);
+        }
+
+        public boolean equalsSystemPropertyName(String propertyName) {
+            return (propertyName == null) ? false : systemProperty.equals(propertyName);
+        }
+
+        public String apiProperty() {
+            return apiProperty;
+        }
+
+        String systemProperty() {
+            return systemProperty;
+        }
+
+        int defaultValue() {
+            return defaultValue;
+        }
+
+        int secureValue() {
+            return secureValue;
+        }
+    }
+
+    /**
+     * Map old property names with the new ones
+     */
+    public static enum NameMap {
+
+        ENTITY_EXPANSION_LIMIT(Constants.SP_ENTITY_EXPANSION_LIMIT, Constants.ENTITY_EXPANSION_LIMIT),
+        MAX_OCCUR_NODE_LIMIT(Constants.SP_MAX_OCCUR_LIMIT, Constants.MAX_OCCUR_LIMIT),
+        ELEMENT_ATTRIBUTE_LIMIT(Constants.SP_ELEMENT_ATTRIBUTE_LIMIT, Constants.ELEMENT_ATTRIBUTE_LIMIT);
+        final String newName;
+        final String oldName;
+
+        NameMap(String newName, String oldName) {
+            this.newName = newName;
+            this.oldName = oldName;
+        }
+
+        String getOldName(String newName) {
+            if (newName.equals(this.newName)) {
+                return oldName;
+            }
+            return null;
+        }
+    }
+    private static final int NO_LIMIT = 0;
+    /**
+     * Values of the properties
+     */
+    private final int[] values;
+    /**
+     * States of the settings for each property
+     */
+    private State[] states;
+    /**
+     * Flag indicating if secure processing is set
+     */
+    boolean secureProcessing;
+
+    /**
+     * States that determine if properties are set explicitly
+     */
+    private boolean[] isSet;
+
+
+    private XMLLimitAnalyzer limitAnalyzer;
+    /**
+     * Index of the special entityCountInfo property
+     */
+    private int indexEntityCountInfo = 10000;
+    private String printEntityCountInfo = "";
+
+    /**
+     * Default constructor. Establishes default values for known security
+     * vulnerabilities.
+     */
+    public XMLSecurityManager() {
+        this(false);
+    }
+
+    /**
+     * Instantiate Security Manager in accordance with the status of
+     * secure processing
+     * @param secureProcessing
+     */
+    public XMLSecurityManager(boolean secureProcessing) {
+        limitAnalyzer = new XMLLimitAnalyzer(this);
+        values = new int[Limit.values().length];
+        states = new State[Limit.values().length];
+        isSet = new boolean[Limit.values().length];
+        this.secureProcessing = secureProcessing;
+        for (Limit limit : Limit.values()) {
+            if (secureProcessing) {
+                values[limit.ordinal()] = limit.secureValue;
+                states[limit.ordinal()] = State.FSP;
+            } else {
+                values[limit.ordinal()] = limit.defaultValue();
+                states[limit.ordinal()] = State.DEFAULT;
+            }
+        }
+        //read system properties or jaxp.properties
+        readSystemProperties();
+    }
+
+    /**
+     * Setting FEATURE_SECURE_PROCESSING explicitly
+     */
+    public void setSecureProcessing(boolean secure) {
+        secureProcessing = secure;
+        for (Limit limit : Limit.values()) {
+            if (secure) {
+                setLimit(limit.ordinal(), State.FSP, limit.secureValue());
+            } else {
+                setLimit(limit.ordinal(), State.FSP, limit.defaultValue());
+            }
+        }
+    }
+
+    /**
+     * Return the state of secure processing
+     * @return the state of secure processing
+     */
+    public boolean isSecureProcessing() {
+        return secureProcessing;
+    }
+
+
+    /**
+     * Set limit by property name and state
+     * @param propertyName property name
+     * @param state the state of the property
+     * @param value the value of the property
+     * @return true if the property is managed by the security manager; false
+     *              if otherwise.
+     */
+    public boolean setLimit(String propertyName, State state, Object value) {
+        int index = getIndex(propertyName);
+        if (index > -1) {
+            setLimit(index, state, value);
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Set the value for a specific limit.
+     *
+     * @param limit the limit
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setLimit(Limit limit, State state, int value) {
+        setLimit(limit.ordinal(), state, value);
+    }
+
+    /**
+     * Set the value of a property by its index
+     *
+     * @param index the index of the property
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setLimit(int index, State state, Object value) {
+        if (index == indexEntityCountInfo) {
+            printEntityCountInfo = (String)value;
+        } else {
+            int temp = 0;
+            try {
+                temp = Integer.parseInt((String) value);
+                if (temp < 0) {
+                    temp = 0;
+                }
+            } catch (NumberFormatException e) {}
+            setLimit(index, state, temp);
+        }
+    }
+
+    /**
+     * Set the value of a property by its index
+     *
+     * @param index the index of the property
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setLimit(int index, State state, int value) {
+        if (index == indexEntityCountInfo) {
+            //if it's explicitly set, it's treated as yes no matter the value
+            printEntityCountInfo = Constants.JDK_YES;
+        } else {
+            //only update if it shall override
+            if (state.compareTo(states[index]) >= 0) {
+                values[index] = value;
+                states[index] = state;
+                isSet[index] = true;
+            }
+        }
+    }
+
+    /**
+     * Return the value of the specified property
+     *
+     * @param propertyName the property name
+     * @return the value of the property as a string. If a property is managed
+     * by this manager, its value shall not be null.
+     */
+    public String getLimitAsString(String propertyName) {
+        int index = getIndex(propertyName);
+        if (index > -1) {
+            return getLimitValueByIndex(index);
+        }
+
+        return null;
+    }
+    /**
+     * Return the value of the specified property
+     *
+     * @param limit the property
+     * @return the value of the property
+     */
+    public int getLimit(Limit limit) {
+        return values[limit.ordinal()];
+    }
+
+    /**
+     * Return the value of a property by its ordinal
+     *
+     * @param limit the property
+     * @return value of a property
+     */
+    public String getLimitValueAsString(Limit limit) {
+        return Integer.toString(values[limit.ordinal()]);
+    }
+
+    /**
+     * Return the value of a property by its ordinal
+     *
+     * @param index the index of a property
+     * @return limit of a property as a string
+     */
+    public String getLimitValueByIndex(int index) {
+        if (index == indexEntityCountInfo) {
+            return printEntityCountInfo;
+        }
+
+        return Integer.toString(values[index]);
+    }
+
+    /**
+     * Return the state of the limit property
+     *
+     * @param limit the limit
+     * @return the state of the limit property
+     */
+    public State getState(Limit limit) {
+        return states[limit.ordinal()];
+    }
+
+    /**
+     * Return the state of the limit property
+     *
+     * @param limit the limit
+     * @return the state of the limit property
+     */
+    public String getStateLiteral(Limit limit) {
+        return states[limit.ordinal()].literal();
+    }
+
+    /**
+     * Get the index by property name
+     *
+     * @param propertyName property name
+     * @return the index of the property if found; return -1 if not
+     */
+    public int getIndex(String propertyName) {
+        for (Limit limit : Limit.values()) {
+            if (limit.equalsAPIPropertyName(propertyName)) {
+                //internally, ordinal is used as index
+                return limit.ordinal();
+            }
+        }
+        //special property to return entity count info
+        if (propertyName.equals(Constants.JDK_ENTITY_COUNT_INFO)) {
+            return indexEntityCountInfo;
+        }
+        return -1;
+    }
+
+    /**
+     * Check if there's no limit defined by the Security Manager
+     * @param limit
+     * @return
+     */
+    public boolean isNoLimit(int limit) {
+        return limit==NO_LIMIT;
+    }
+    /**
+     * Check if the size (length or count) of the specified limit property is
+     * over the limit
+     *
+     * @param limit the type of the limit property
+     * @param entityName the name of the entity
+     * @param size the size (count or length) of the entity
+     * @return true if the size is over the limit, false otherwise
+     */
+    public boolean isOverLimit(Limit limit, String entityName, int size) {
+        return isOverLimit(limit.ordinal(), entityName, size);
+    }
+
+    /**
+     * Check if the value (length or count) of the specified limit property is
+     * over the limit
+     *
+     * @param index the index of the limit property
+     * @param entityName the name of the entity
+     * @param size the size (count or length) of the entity
+     * @return true if the size is over the limit, false otherwise
+     */
+    public boolean isOverLimit(int index, String entityName, int size) {
+        if (values[index] == NO_LIMIT) {
+            return false;
+        }
+        if (size > values[index]) {
+            limitAnalyzer.addValue(index, entityName, size);
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Check against cumulated value
+     *
+     * @param limit the type of the limit property
+     * @param size the size (count or length) of the entity
+     * @return true if the size is over the limit, false otherwise
+     */
+    public boolean isOverLimit(Limit limit) {
+        return isOverLimit(limit.ordinal());
+    }
+
+    public boolean isOverLimit(int index) {
+        if (values[index] == NO_LIMIT) {
+            return false;
+        }
+
+        if (index==Limit.ELEMENT_ATTRIBUTE_LIMIT.ordinal() ||
+                index==Limit.ENTITY_EXPANSION_LIMIT.ordinal() ||
+                index==Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()) {
+            return (limitAnalyzer.getTotalValue(index) > values[index]);
+        } else {
+            return (limitAnalyzer.getValue(index) > values[index]);
+        }
+    }
+
+    public void debugPrint() {
+        if (printEntityCountInfo.equals(Constants.JDK_YES)) {
+            limitAnalyzer.debugPrint();
+        }
+    }
+
+    /**
+     * Return the limit analyzer
+     *
+     * @return the limit analyzer
+     */
+    public XMLLimitAnalyzer getLimitAnalyzer() {
+        return limitAnalyzer;
+    }
+
+    /**
+     * Set limit analyzer
+     *
+     * @param analyzer a limit analyzer
+     */
+    public void setLimitAnalyzer(XMLLimitAnalyzer analyzer) {
+        limitAnalyzer = analyzer;
+    }
+
+    /**
+     * Indicate if a property is set explicitly
+     * @param index
+     * @return
+     */
+    public boolean isSet(int index) {
+        return isSet[index];
+    }
+
+    public boolean printEntityCountInfo() {
+        return printEntityCountInfo.equals(Constants.JDK_YES);
+    }
+
+    /**
+     * Read from system properties, or those in jaxp.properties
+     */
+    private void readSystemProperties() {
+
+        for (Limit limit : Limit.values()) {
+            if (!getSystemProperty(limit, limit.systemProperty())) {
+                //if system property is not found, try the older form if any
+                for (NameMap nameMap : NameMap.values()) {
+                    String oldName = nameMap.getOldName(limit.systemProperty());
+                    if (oldName != null) {
+                        getSystemProperty(limit, oldName);
+                    }
+                }
+            }
+        }
+
+    }
+
+    /**
+     * Read from system properties, or those in jaxp.properties
+     *
+     * @param property the type of the property
+     * @param sysPropertyName the name of system property
+     */
+    private boolean getSystemProperty(Limit limit, String sysPropertyName) {
+        try {
+            String value = SecuritySupport.getSystemProperty(sysPropertyName);
+            if (value != null && !value.equals("")) {
+                values[limit.ordinal()] = Integer.parseInt(value);
+                states[limit.ordinal()] = State.SYSTEMPROPERTY;
+                return true;
+            }
+
+            value = SecuritySupport.readJAXPProperty(sysPropertyName);
+            if (value != null && !value.equals("")) {
+                values[limit.ordinal()] = Integer.parseInt(value);
+                states[limit.ordinal()] = State.JAXPDOTPROPERTIES;
+                return true;
+            }
+        } catch (NumberFormatException e) {
+            //invalid setting
+            throw new NumberFormatException("Invalid setting for system property: " + limit.systemProperty());
+        }
+        return false;
+    }
+
+
+    /**
+     * Convert a value set through setProperty to XMLSecurityManager.
+     * If the value is an instance of XMLSecurityManager, use it to override the default;
+     * If the value is an old SecurityManager, convert to the new XMLSecurityManager.
+     *
+     * @param value user specified security manager
+     * @param securityManager an instance of XMLSecurityManager
+     * @return an instance of the new security manager XMLSecurityManager
+     */
+    static public XMLSecurityManager convert(Object value, XMLSecurityManager securityManager) {
+        if (value == null) {
+            if (securityManager == null) {
+                securityManager = new XMLSecurityManager(true);
+            }
+            return securityManager;
+        }
+        if (XMLSecurityManager.class.isAssignableFrom(value.getClass())) {
+            return (XMLSecurityManager)value;
+        } else {
+            if (securityManager == null) {
+                securityManager = new XMLSecurityManager(true);
+            }
+            if (SecurityManager.class.isAssignableFrom(value.getClass())) {
+                SecurityManager origSM = (SecurityManager)value;
+                securityManager.setLimit(Limit.MAX_OCCUR_NODE_LIMIT, State.APIPROPERTY, origSM.getMaxOccurNodeLimit());
+                securityManager.setLimit(Limit.ENTITY_EXPANSION_LIMIT, State.APIPROPERTY, origSM.getEntityExpansionLimit());
+                securityManager.setLimit(Limit.ELEMENT_ATTRIBUTE_LIMIT, State.APIPROPERTY, origSM.getElementAttrLimit());
+            }
+            return securityManager;
+        }
+    }
+}
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/utils/XMLSecurityPropertyManager.java
--- a/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityPropertyManager.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityPropertyManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -91,6 +91,24 @@
         readSystemProperties();
     }
 
+
+    /**
+     * Set limit by property name and state
+     * @param propertyName property name
+     * @param state the state of the property
+     * @param value the value of the property
+     * @return true if the property is managed by the security property manager;
+     *         false if otherwise.
+     */
+    public boolean setValue(String propertyName, State state, Object value) {
+        int index = getIndex(propertyName);
+        if (index > -1) {
+            setValue(index, state, (String)value);
+            return true;
+        }
+        return false;
+    }
+
     /**
      * Set the value for a specific property.
      *
@@ -119,6 +137,23 @@
             states[index] = state;
         }
     }
+
+
+    /**
+     * Return the value of the specified property
+     *
+     * @param propertyName the property name
+     * @return the value of the property as a string
+     */
+    public String getValue(String propertyName) {
+        int index = getIndex(propertyName);
+        if (index > -1) {
+            return getValueByIndex(index);
+        }
+
+        return null;
+    }
+
     /**
      * Return the value of the specified property
      *
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java
--- a/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java	Fri Oct 11 19:49:44 2013 +0100
@@ -37,7 +37,6 @@
 import com.sun.org.apache.xerces.internal.util.HTTPInputSource;
 import com.sun.org.apache.xerces.internal.util.IntStack;
 import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.util.URI;
 import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
@@ -45,6 +44,7 @@
 import com.sun.org.apache.xerces.internal.util.XMLChar;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
 import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.QName;
@@ -289,7 +289,7 @@
     protected SymbolTable fSymbolTable;
     protected XMLErrorReporter fErrorReporter;
     protected XMLEntityResolver fEntityResolver;
-    protected SecurityManager fSecurityManager;
+    protected XMLSecurityManager fSecurityManager;
     protected XMLSecurityPropertyManager fSecurityPropertyMgr;
 
     // these are needed for text include processing
@@ -517,8 +517,8 @@
 
         // Get security manager.
         try {
-            SecurityManager value =
-                (SecurityManager)componentManager.getProperty(
+            XMLSecurityManager value =
+                (XMLSecurityManager)componentManager.getProperty(
                     SECURITY_MANAGER);
 
             if (value != null) {
@@ -674,7 +674,7 @@
             return;
         }
         if (propertyId.equals(SECURITY_MANAGER)) {
-            fSecurityManager = (SecurityManager)value;
+            fSecurityManager = (XMLSecurityManager)value;
             if (fChildConfig != null) {
                 fChildConfig.setProperty(propertyId, value);
             }
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java
--- a/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -25,12 +25,15 @@
 import com.sun.org.apache.xalan.internal.XalanConstants;
 import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
 import com.sun.org.apache.xalan.internal.utils.SecuritySupport;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager;
 import java.util.HashMap;
+
 import javax.xml.XMLConstants;
 import javax.xml.parsers.FactoryConfigurationError;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
 import org.xml.sax.XMLReader;
 import org.xml.sax.helpers.XMLReaderFactory;
 
@@ -63,11 +66,15 @@
     private HashMap m_inUse;
 
     private boolean m_useServicesMechanism = true;
+
+    private boolean _secureProcessing;
      /**
      * protocols allowed for external DTD references in source file and/or stylesheet.
      */
     private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
 
+    private XMLSecurityManager _xmlSecurityManager;
+
     /**
      * Hidden constructor
      */
@@ -118,7 +125,12 @@
                     // TransformerFactory creates a reader via the
                     // XMLReaderFactory if setXMLReader is not used
                     reader = XMLReaderFactory.createXMLReader();
-
+                    try {
+                        reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, _secureProcessing);
+                    } catch (SAXNotRecognizedException e) {
+                        System.err.println("Warning:  " + reader.getClass().getName() + ": "
+                                + e.getMessage());
+                    }
                 } catch (Exception e) {
                    try {
                         // If unable to create an instance, let's try to use
@@ -164,6 +176,21 @@
                         + se.getMessage());
         }
 
+        try {
+            if (_xmlSecurityManager != null) {
+                for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) {
+                    reader.setProperty(limit.apiProperty(),
+                            _xmlSecurityManager.getLimitValueAsString(limit));
+                }
+                if (_xmlSecurityManager.printEntityCountInfo()) {
+                    reader.setProperty(XalanConstants.JDK_ENTITY_COUNT_INFO, XalanConstants.JDK_YES);
+                }
+            }
+        } catch (SAXException se) {
+            System.err.println("Warning:  " + reader.getClass().getName() + ": "
+                        + se.getMessage());
+        }
+
         return reader;
     }
 
@@ -195,11 +222,22 @@
     }
 
     /**
+     * Set feature
+     */
+    public void setFeature(String name, boolean value) {
+        if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
+            _secureProcessing = value;
+        }
+    }
+
+    /**
      * Get property value
      */
-    public String getProperty(String name) {
+    public Object getProperty(String name) {
         if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
             return _accessExternalDTD;
+        } else if (name.equals(XalanConstants.SECURITY_MANAGER)) {
+            return _xmlSecurityManager;
         }
         return null;
     }
@@ -207,9 +245,11 @@
     /**
      * Set property.
      */
-    public void setProperty(String name, String value) {
+    public void setProperty(String name, Object value) {
         if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
             _accessExternalDTD = (String)value;
+        } else if (name.equals(XalanConstants.SECURITY_MANAGER)) {
+            _xmlSecurityManager = (XMLSecurityManager)value;
         }
     }
 }
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/com/sun/xml/internal/stream/Entity.java
diff -r 46ccc5fbc523 -r 2b77e12ff69d src/javax/xml/stream/FactoryFinder.java
--- a/src/javax/xml/stream/FactoryFinder.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/src/javax/xml/stream/FactoryFinder.java	Fri Oct 11 19:49:44 2013 +0100
@@ -253,7 +253,13 @@
 
         // Use the system property first
         try {
-            String systemProp = ss.getSystemProperty(factoryId);
+
+            final String systemProp;
+            if (type.getName().equals(factoryId)) {
+                systemProp = ss.getSystemProperty(factoryId);
+            } else {
+                systemProp = System.getProperty(factoryId);
+            }
             if (systemProp != null) {
                 dPrint("found system property, value=" + systemProp);
                 // There's a bug here - because 'cl' is ignored.
@@ -262,7 +268,8 @@
             }
         }
         catch (SecurityException se) {
-            if (debug) se.printStackTrace();
+            throw new FactoryConfigurationError(
+                    "Failed to read factoryId '" + factoryId + "'", se);
         }
 
         // Try read $java.home/lib/stax.properties followed by