Mercurial > hg > release > icedtea7-forest-2.3 > jaxp

view src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java @ 602:00f1d7d220a9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8017298: Better XML support Reviewed-by: alanb, dfuchs, mullan
author joehw
date Thu, 10 Oct 2013 16:45:02 +0100
parents
children aeaabc10209e
line wrap: on
line source

/*
 * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package com.sun.org.apache.xerces.internal.utils;

import com.sun.org.apache.xerces.internal.impl.Constants;

/**
 * This class manages standard and implementation-specific limitations.
 *
 */
public final class XMLSecurityManager {

    /**
     * States of the settings of a property, in the order: default value, value
     * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
     * properties, and jaxp api properties
     */
    public static enum State {
        //this order reflects the overriding order
        DEFAULT, FSP, JAXPDOTPROPERTIES, SYSTEMPROPERTY, APIPROPERTY
    }

    /**
     * Limits managed by the security manager
     */
    public static enum Limit {
        ENTITY_EXPANSION_LIMIT(64000),
        MAX_OCCUR_NODE_LIMIT(5000),
        ELEMENT_ATTRIBUTE_LIMIT(10000);

        final int defaultValue;

        Limit(int value) {
            this.defaultValue = value;
        }

        int defaultValue() {
            return defaultValue;
        }
    }

    /**
     * Values of the limits as defined in enum Limit
     */
    private final int[] limits;
    /**
     * States of the settings for each limit in limits above
     */
    private State[] states = {State.DEFAULT, State.DEFAULT, State.DEFAULT, State.DEFAULT};

    /**
     * Default constructor. Establishes default values for known security
     * vulnerabilities.
     */
    public XMLSecurityManager() {
        limits = new int[Limit.values().length];
        for (Limit limit : Limit.values()) {
            limits[limit.ordinal()] = limit.defaultValue();
        }
        //read system properties or jaxp.properties
        readSystemProperties();
    }

    /**
     * Sets the limit for a specific type of XML constructs. This can be either
     * the size or the number of the constructs.
     *
     * @param type the type of limitation
     * @param state the state of limitation
     * @param limit the limit to the type
     */
    public void setLimit(Limit limit, State state, int value) {
        //only update if it shall override
        if (state.compareTo(states[limit.ordinal()]) >= 0) {
            limits[limit.ordinal()] = value;
            states[limit.ordinal()] = state;
        }
    }

    /**
     * Returns the limit set for the type specified
     *
     * @param limit the type of limitation
     * @return the limit to the type
     */
    public int getLimit(Limit limit) {
        return limits[limit.ordinal()];
    }

    /**
     * Read from system properties, or those in jaxp.properties
     */
    private void readSystemProperties() {
        getSystemProperty(Limit.ENTITY_EXPANSION_LIMIT, Constants.ENTITY_EXPANSION_LIMIT);
        getSystemProperty(Limit.MAX_OCCUR_NODE_LIMIT, Constants.MAX_OCCUR_LIMIT);
        getSystemProperty(Limit.ELEMENT_ATTRIBUTE_LIMIT,
                Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT);
    }

    /**
     * Read from system properties, or those in jaxp.properties
     *
     * @param limit the type of the property
     * @param property the property name
     */
    private void getSystemProperty(Limit limit, String property) {
        try {
            String value = SecuritySupport.getSystemProperty(property);
            if (value != null && !value.equals("")) {
                limits[limit.ordinal()] = Integer.parseInt(value);
                states[limit.ordinal()] = State.SYSTEMPROPERTY;
                return;
            }

            value = SecuritySupport.readJAXPProperty(property);
            if (value != null && !value.equals("")) {
                limits[limit.ordinal()] = Integer.parseInt(value);
                states[limit.ordinal()] = State.JAXPDOTPROPERTIES;
            }
        } catch (NumberFormatException e) {
            //invalid setting ignored
        }
    }
}