null
+ * if a legal pseudo attribute name could not be scanned.
+ */
+ private String scanPseudoAttributeName() throws IOException, XNIException {
+ final int ch = fEntityScanner.peekChar();
+ switch (ch) {
+ case 'v':
+ if (fEntityScanner.skipString(fVersionSymbol)) {
+ return fVersionSymbol;
+ }
+ break;
+ case 'e':
+ if (fEntityScanner.skipString(fEncodingSymbol)) {
+ return fEncodingSymbol;
+ }
+ break;
+ case 's':
+ if (fEntityScanner.skipString(fStandaloneSymbol)) {
+ return fStandaloneSymbol;
+ }
+ break;
+ }
+ return null;
+ } // scanPseudoAttributeName()
+
+ /**
* Scans a processing instruction.
* *
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties Thu Oct 10 16:45:02 2013 +0100
@@ -44,6 +44,7 @@
# 2.9 Standalone Document Declaration
SDDeclInvalid = The standalone document declaration value must be \"yes\" or \"no\", not \"{0}\".
+ SDDeclNameInvalid = The standalone name in XML declaration may be misspelled.
# 2.12 Language Identification
XMLLangInvalid = The xml:lang attribute value \"{0}\" is an invalid language identifier.
# 3. Logical Structures
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java
--- a/src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java Thu Oct 10 16:45:02 2013 +0100
@@ -21,13 +21,13 @@
package com.sun.org.apache.xerces.internal.impl.xs.models;
+import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
-import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
-import com.sun.org.apache.xerces.internal.util.SecurityManager ;
import com.sun.org.apache.xerces.internal.impl.dtd.models.CMNode;
+import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
+import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
-import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
-import com.sun.org.apache.xerces.internal.impl.Constants;
/**
*
@@ -68,7 +68,7 @@
// stores defaults for different security holes (maxOccurLimit in current context) if it has
// been set on the configuration.
- private SecurityManager fSecurityManager = null;
+ private XMLSecurityManager fSecurityManager = null;
/** default constructor */
public CMNodeFactory() {
@@ -77,10 +77,10 @@
public void reset(XMLComponentManager componentManager){
fErrorReporter = (XMLErrorReporter)componentManager.getProperty(ERROR_REPORTER);
try {
- fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER);
+ fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER);
//we are setting the limit of number of nodes to 3times the maxOccur value..
if(fSecurityManager != null){
- maxNodeLimit = fSecurityManager.getMaxOccurNodeLimit() * MULTIPLICITY ;
+ maxNodeLimit = fSecurityManager.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT) * MULTIPLICITY ;
}
}
catch (XMLConfigurationException e) {
@@ -150,8 +150,9 @@
if (suffixLength == Constants.SECURITY_MANAGER_PROPERTY.length() &&
propertyId.endsWith(Constants.SECURITY_MANAGER_PROPERTY)) {
- fSecurityManager = (SecurityManager)value;
- maxNodeLimit = (fSecurityManager != null) ? fSecurityManager.getMaxOccurNodeLimit() * MULTIPLICITY : 0 ;
+ fSecurityManager = (XMLSecurityManager)value;
+ maxNodeLimit = (fSecurityManager != null) ?
+ fSecurityManager.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT) * MULTIPLICITY : 0 ;
return;
}
if (suffixLength == Constants.ERROR_REPORTER_PROPERTY.length() &&
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java
--- a/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java Thu Oct 10 16:45:02 2013 +0100
@@ -40,6 +40,7 @@
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.XMLChar;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.QName;
import com.sun.org.apache.xerces.internal.xs.XSConstants;
import java.util.HashMap;
@@ -1194,7 +1195,7 @@
if (!optimize) {
//Revisit :: IMO this is not right place to check
// maxOccurNodeLimit.
- int maxOccurNodeLimit = fSchemaHandler.fSecureProcessing.getMaxOccurNodeLimit();
+ int maxOccurNodeLimit = fSchemaHandler.fSecureProcessing.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT);
if (max > maxOccurNodeLimit) {
reportSchemaFatalError("maxOccurLimit", new Object[] {new Integer(maxOccurNodeLimit)}, element);
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java
--- a/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java Thu Oct 10 16:45:02 2013 +0100
@@ -70,13 +70,13 @@
import com.sun.org.apache.xerces.internal.util.DefaultErrorHandler;
import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
import com.sun.org.apache.xerces.internal.util.SAXInputSource;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.StAXInputSource;
import com.sun.org.apache.xerces.internal.util.StAXLocationWrapper;
import com.sun.org.apache.xerces.internal.util.SymbolHash;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.QName;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
@@ -249,7 +249,7 @@
*
* Protected to allow access by any traverser.
*/
- protected SecurityManager fSecureProcessing = null;
+ protected XMLSecurityManager fSecureProcessing = null;
// These tables correspond to the symbol spaces defined in the
// spec.
@@ -3482,7 +3482,7 @@
fSecureProcessing = null;
if( componentManager!=null ) {
- fSecureProcessing = (SecurityManager) componentManager.getProperty(SECURE_PROCESSING, null);
+ fSecureProcessing = (XMLSecurityManager) componentManager.getProperty(SECURE_PROCESSING, null);
}
//set entity resolver
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java Thu Oct 10 16:45:02 2013 +0100
@@ -35,7 +35,7 @@
import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
import com.sun.org.apache.xerces.internal.parsers.DOMParser;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -154,7 +154,7 @@
// If the secure processing feature is on set a security manager.
if (secureProcessing) {
- domParser.setProperty(SECURITY_MANAGER, new SecurityManager());
+ domParser.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
}
this.grammar = dbf.getSchema();
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java Thu Oct 10 16:45:02 2013 +0100
@@ -34,8 +34,8 @@
import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.Status;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -145,7 +145,7 @@
// If the secure processing feature is on set a security manager.
if (secureProcessing) {
- xmlReader.setProperty0(SECURITY_MANAGER, new SecurityManager());
+ xmlReader.setProperty0(SECURITY_MANAGER, new XMLSecurityManager());
}
// Set application's features, followed by validation features.
@@ -391,7 +391,7 @@
}
if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
try {
- setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
+ setProperty(SECURITY_MANAGER, value ? new XMLSecurityManager() : null);
}
catch (SAXNotRecognizedException exc) {
// If the property is not supported
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Thu Oct 10 16:45:02 2013 +0100
@@ -24,7 +24,7 @@
import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
import com.sun.org.apache.xerces.internal.parsers.XML11Configuration;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource;
import com.sun.org.apache.xerces.internal.xni.parser.XMLParseException;
@@ -170,7 +170,7 @@
private XMLParserConfiguration initialize() {
XML11Configuration config = new XML11Configuration();
if (fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
- config.setProperty(SECURITY_MANAGER, new SecurityManager());
+ config.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
}
config.setProperty(ENTITY_RESOLVER, fComponentManager.getProperty(ENTITY_RESOLVER));
config.setProperty(ERROR_HANDLER, fComponentManager.getProperty(ERROR_HANDLER));
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Thu Oct 10 16:45:02 2013 +0100
@@ -49,10 +49,10 @@
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.URI;
import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.QName;
@@ -679,7 +679,7 @@
reader = spf.newSAXParser().getXMLReader();
// If this is a Xerces SAX parser, set the security manager if there is one
if (reader instanceof com.sun.org.apache.xerces.internal.parsers.SAXParser) {
- SecurityManager securityManager = (SecurityManager) fComponentManager.getProperty(SECURITY_MANAGER);
+ XMLSecurityManager securityManager = (XMLSecurityManager) fComponentManager.getProperty(SECURITY_MANAGER);
if (securityManager != null) {
try {
reader.setProperty(SECURITY_MANAGER, securityManager);
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Thu Oct 10 16:45:02 2013 +0100
@@ -41,10 +41,10 @@
import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
import com.sun.org.apache.xerces.internal.util.SAXInputSource;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.StAXInputSource;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription;
@@ -78,7 +78,7 @@
private static final String XMLGRAMMAR_POOL =
Constants.XERCES_PROPERTY_PREFIX + Constants.XMLGRAMMAR_POOL_PROPERTY;
- /** Property identifier: SecurityManager. */
+ /** Property identifier: XMLSecurityManager. */
private static final String SECURITY_MANAGER =
Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
@@ -101,8 +101,8 @@
/** The ErrorHandlerWrapper */
private ErrorHandlerWrapper fErrorHandlerWrapper;
- /** The SecurityManager. */
- private SecurityManager fSecurityManager;
+ /** The XMLSecurityManager. */
+ private XMLSecurityManager fSecurityManager;
/** The container for the real grammar pool. */
private XMLGrammarPoolWrapper fXMLGrammarPoolWrapper;
@@ -130,7 +130,7 @@
fXMLSchemaLoader.setErrorHandler(fErrorHandlerWrapper);
// Enable secure processing feature by default
- fSecurityManager = new SecurityManager();
+ fSecurityManager = new XMLSecurityManager();
fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
}
@@ -348,7 +348,7 @@
SAXMessageFormatter.formatMessage(null,
"jaxp-secureprocessing-feature", null));
}
- fSecurityManager = value ? new SecurityManager() : null;
+ fSecurityManager = value ? new XMLSecurityManager() : null;
fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
return;
} else if (name.equals(Constants.ORACLE_FEATURE_SERVICE_MECHANISM)) {
@@ -381,7 +381,7 @@
"ProperyNameNull", null));
}
if (name.equals(SECURITY_MANAGER)) {
- fSecurityManager = (SecurityManager) object;
+ fSecurityManager = (XMLSecurityManager) object;
fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
return;
}
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java Thu Oct 10 16:45:02 2013 +0100
@@ -39,9 +39,9 @@
import com.sun.org.apache.xerces.internal.util.NamespaceSupport;
import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
import com.sun.org.apache.xerces.internal.util.PropertyState;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.XNIException;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
@@ -176,7 +176,7 @@
private final HashMap fInitProperties = new HashMap();
/** Stores the initial security manager. */
- private final SecurityManager fInitSecurityManager;
+ private final XMLSecurityManager fInitSecurityManager;
//
// User Objects
@@ -215,7 +215,7 @@
if (System.getSecurityManager() != null) {
_isSecureMode = true;
- setProperty(SECURITY_MANAGER, new SecurityManager());
+ setProperty(SECURITY_MANAGER, new XMLSecurityManager());
} else {
fComponents.put(SECURITY_MANAGER, null);
}
@@ -236,7 +236,7 @@
// if the secure processing feature is set to true, add a security manager to the configuration
Boolean secureProcessing = grammarContainer.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING);
if (Boolean.TRUE.equals(secureProcessing)) {
- fInitSecurityManager = new SecurityManager();
+ fInitSecurityManager = new XMLSecurityManager();
}
else {
fInitSecurityManager = null;
@@ -299,7 +299,7 @@
if (_isSecureMode && !value) {
throw new XMLConfigurationException(Status.NOT_ALLOWED, XMLConstants.FEATURE_SECURE_PROCESSING);
}
- setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
+ setProperty(SECURITY_MANAGER, value ? new XMLSecurityManager() : null);
return;
}
fConfigUpdated = true;
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java
--- a/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java Thu Oct 10 16:45:02 2013 +0100
@@ -25,10 +25,10 @@
import com.sun.org.apache.xerces.internal.util.EntityResolverWrapper;
import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.Status;
import com.sun.org.apache.xerces.internal.util.SymbolHash;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.QName;
@@ -1651,7 +1651,7 @@
else if (featureId.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
if (state) {
if (fConfiguration.getProperty(SECURITY_MANAGER )==null) {
- fConfiguration.setProperty(SECURITY_MANAGER, new SecurityManager());
+ fConfiguration.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
}
}
}
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java
--- a/src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java Thu Oct 10 16:45:02 2013 +0100
@@ -23,8 +23,8 @@
import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
/**
* This configuration allows Xerces to behave in a security-conscious manner; that is,
@@ -106,8 +106,8 @@
XMLComponentManager parentSettings) {
super(symbolTable, grammarPool, parentSettings);
- // create the SecurityManager property:
- setProperty(SECURITY_MANAGER_PROPERTY, new SecurityManager());
+ // create the XMLSecurityManager property:
+ setProperty(SECURITY_MANAGER_PROPERTY, new XMLSecurityManager());
} // (SymbolTable,XMLGrammarPool)
} // class SecurityConfiguration
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/util/SecurityManager.java
--- a/src/com/sun/org/apache/xerces/internal/util/SecurityManager.java Thu Oct 10 16:30:46 2013 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,226 +0,0 @@
-/*
- * reserved comment block
- * DO NOT REMOVE OR ALTER!
- */
-/*
- * The Apache Software License, Version 1.1
- *
- *
- * Copyright (c) 2003 The Apache Software Foundation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. The end-user documentation included with the redistribution,
- * if any, must include the following acknowledgment:
- * "This product includes software developed by the
- * Apache Software Foundation (http://www.apache.org/)."
- * Alternately, this acknowledgment may appear in the software itself,
- * if and wherever such third-party acknowledgments normally appear.
- *
- * 4. The names "Xerces" and "Apache Software Foundation" must
- * not be used to endorse or promote products derived from this
- * software without prior written permission. For written
- * permission, please contact apache@apache.org.
- *
- * 5. Products derived from this software may not be called "Apache",
- * nor may "Apache" appear in their name, without prior written
- * permission of the Apache Software Foundation.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation and was
- * originally based on software copyright (c) 1999, International
- * Business Machines, Inc., http://www.apache.org. For more
- * information on the Apache Software Foundation, please see
- * Sets the number of entity expansions that the
- * parser should permit in a document.
- *
- * @param limit the number of entity expansions
- * permitted in a document
- */
- public void setEntityExpansionLimit(int limit) {
- entityExpansionLimit = limit;
- }
-
- /**
- * Returns the number of entity expansions
- * that the parser permits in a document.
- *
- * @return the number of entity expansions
- * permitted in a document
- */
- public int getEntityExpansionLimit() {
- return entityExpansionLimit;
- }
-
- /**
- * Sets the limit of the number of content model nodes
- * that may be created when building a grammar for a W3C
- * XML Schema that contains maxOccurs attributes with values
- * other than "unbounded".
- *
- * @param limit the maximum value for maxOccurs other
- * than "unbounded"
- */
- public void setMaxOccurNodeLimit(int limit){
- maxOccurLimit = limit;
- }
-
- /**
- * Returns the limit of the number of content model nodes
- * that may be created when building a grammar for a W3C
- * XML Schema that contains maxOccurs attributes with values
- * other than "unbounded".
- *
- * @return the maximum value for maxOccurs other
- * than "unbounded"
- */
- public int getMaxOccurNodeLimit(){
- return maxOccurLimit;
- }
-
- public int getElementAttrLimit(){
- return fElementAttributeLimit;
- }
-
- public void setElementAttrLimit(int limit){
- fElementAttributeLimit = limit;
- }
-
- private void readSystemProperties(){
-
- //TODO: also read SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT
- try {
- String value = getSystemProperty(Constants.ENTITY_EXPANSION_LIMIT);
- if(value != null && !value.equals("")){
- entityExpansionLimit = Integer.parseInt(value);
- if (entityExpansionLimit < 0)
- entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
- }
- else
- entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
- }catch(Exception ex){}
-
- try {
- String value = getSystemProperty(Constants.MAX_OCCUR_LIMIT);
- if(value != null && !value.equals("")){
- maxOccurLimit = Integer.parseInt(value);
- if (maxOccurLimit < 0)
- maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
- }
- else
- maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
- }catch(Exception ex){}
-
- try {
- String value = getSystemProperty(Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT);
- if(value != null && !value.equals("")){
- fElementAttributeLimit = Integer.parseInt(value);
- if ( fElementAttributeLimit < 0)
- fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
- }
- else
- fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
-
- }catch(Exception ex){}
-
- }
-
- private String getSystemProperty(final String propName) {
- return AccessController.doPrivileged(new PrivilegedAction() {
- public String run() {
- return System.getProperty(propName);
- }
- });
- }
-} // class SecurityManager
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/util/SymbolTable.java
--- a/src/com/sun/org/apache/xerces/internal/util/SymbolTable.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/util/SymbolTable.java Thu Oct 10 16:45:02 2013 +0100
@@ -173,7 +173,7 @@
for (int i = 0; i < length; i++) {
code = code * 37 + symbol.charAt(i);
}
- return code & 0x7FFFFFF;
+ return code & 0x7FFFFFFF;
} // hash(String):int
@@ -194,7 +194,7 @@
for (int i = 0; i < length; i++) {
code = code * 37 + buffer[offset + i];
}
- return code & 0x7FFFFFF;
+ return code & 0x7FFFFFFF;
} // hash(char[],int,int):int
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java Thu Oct 10 16:45:02 2013 +0100
@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.sun.org.apache.xerces.internal.utils;
+
+import com.sun.org.apache.xerces.internal.impl.Constants;
+
+/**
+ * This class manages standard and implementation-specific limitations.
+ *
+ */
+public final class XMLSecurityManager {
+
+ /**
+ * States of the settings of a property, in the order: default value, value
+ * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
+ * properties, and jaxp api properties
+ */
+ public static enum State {
+ //this order reflects the overriding order
+ DEFAULT, FSP, JAXPDOTPROPERTIES, SYSTEMPROPERTY, APIPROPERTY
+ }
+
+ /**
+ * Limits managed by the security manager
+ */
+ public static enum Limit {
+ ENTITY_EXPANSION_LIMIT(64000),
+ MAX_OCCUR_NODE_LIMIT(5000),
+ ELEMENT_ATTRIBUTE_LIMIT(10000);
+
+ final int defaultValue;
+
+ Limit(int value) {
+ this.defaultValue = value;
+ }
+
+ int defaultValue() {
+ return defaultValue;
+ }
+ }
+
+ /**
+ * Values of the limits as defined in enum Limit
+ */
+ private final int[] limits;
+ /**
+ * States of the settings for each limit in limits above
+ */
+ private State[] states = {State.DEFAULT, State.DEFAULT, State.DEFAULT, State.DEFAULT};
+
+ /**
+ * Default constructor. Establishes default values for known security
+ * vulnerabilities.
+ */
+ public XMLSecurityManager() {
+ limits = new int[Limit.values().length];
+ for (Limit limit : Limit.values()) {
+ limits[limit.ordinal()] = limit.defaultValue();
+ }
+ //read system properties or jaxp.properties
+ readSystemProperties();
+ }
+
+ /**
+ * Sets the limit for a specific type of XML constructs. This can be either
+ * the size or the number of the constructs.
+ *
+ * @param type the type of limitation
+ * @param state the state of limitation
+ * @param limit the limit to the type
+ */
+ public void setLimit(Limit limit, State state, int value) {
+ //only update if it shall override
+ if (state.compareTo(states[limit.ordinal()]) >= 0) {
+ limits[limit.ordinal()] = value;
+ states[limit.ordinal()] = state;
+ }
+ }
+
+ /**
+ * Returns the limit set for the type specified
+ *
+ * @param limit the type of limitation
+ * @return the limit to the type
+ */
+ public int getLimit(Limit limit) {
+ return limits[limit.ordinal()];
+ }
+
+ /**
+ * Read from system properties, or those in jaxp.properties
+ */
+ private void readSystemProperties() {
+ getSystemProperty(Limit.ENTITY_EXPANSION_LIMIT, Constants.ENTITY_EXPANSION_LIMIT);
+ getSystemProperty(Limit.MAX_OCCUR_NODE_LIMIT, Constants.MAX_OCCUR_LIMIT);
+ getSystemProperty(Limit.ELEMENT_ATTRIBUTE_LIMIT,
+ Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT);
+ }
+
+ /**
+ * Read from system properties, or those in jaxp.properties
+ *
+ * @param limit the type of the property
+ * @param property the property name
+ */
+ private void getSystemProperty(Limit limit, String property) {
+ try {
+ String value = SecuritySupport.getSystemProperty(property);
+ if (value != null && !value.equals("")) {
+ limits[limit.ordinal()] = Integer.parseInt(value);
+ states[limit.ordinal()] = State.SYSTEMPROPERTY;
+ return;
+ }
+
+ value = SecuritySupport.readJAXPProperty(property);
+ if (value != null && !value.equals("")) {
+ limits[limit.ordinal()] = Integer.parseInt(value);
+ states[limit.ordinal()] = State.JAXPDOTPROPERTIES;
+ }
+ } catch (NumberFormatException e) {
+ //invalid setting ignored
+ }
+ }
+}
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java
--- a/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java Thu Oct 10 16:45:02 2013 +0100
@@ -36,7 +36,6 @@
import com.sun.org.apache.xerces.internal.util.HTTPInputSource;
import com.sun.org.apache.xerces.internal.util.IntStack;
import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
import com.sun.org.apache.xerces.internal.util.SymbolTable;
import com.sun.org.apache.xerces.internal.util.URI;
import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
@@ -44,6 +43,7 @@
import com.sun.org.apache.xerces.internal.util.XMLChar;
import com.sun.org.apache.xerces.internal.util.XMLSymbols;
import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
import com.sun.org.apache.xerces.internal.xni.Augmentations;
import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
import com.sun.org.apache.xerces.internal.xni.QName;
@@ -282,7 +282,7 @@
protected SymbolTable fSymbolTable;
protected XMLErrorReporter fErrorReporter;
protected XMLEntityResolver fEntityResolver;
- protected SecurityManager fSecurityManager;
+ protected XMLSecurityManager fSecurityManager;
// these are needed for text include processing
protected XIncludeTextReader fXInclude10TextReader;
@@ -508,8 +508,8 @@
// Get security manager.
try {
- SecurityManager value =
- (SecurityManager)componentManager.getProperty(
+ XMLSecurityManager value =
+ (XMLSecurityManager)componentManager.getProperty(
SECURITY_MANAGER);
if (value != null) {
@@ -658,7 +658,7 @@
return;
}
if (propertyId.equals(SECURITY_MANAGER)) {
- fSecurityManager = (SecurityManager)value;
+ fSecurityManager = (XMLSecurityManager)value;
if (fChildConfig != null) {
fChildConfig.setProperty(propertyId, value);
}
diff -r f5d8437f4407 -r 00f1d7d220a9 src/com/sun/xml/internal/stream/Entity.java
--- a/src/com/sun/xml/internal/stream/Entity.java Thu Oct 10 16:30:46 2013 +0100
+++ b/src/com/sun/xml/internal/stream/Entity.java Thu Oct 10 16:45:02 2013 +0100
@@ -248,7 +248,7 @@
public int fBufferSize = DEFAULT_BUFFER_SIZE;
/** Default buffer size before we've finished with the XMLDecl: */
- public static final int DEFAULT_XMLDECL_BUFFER_SIZE = 28;
+ public static final int DEFAULT_XMLDECL_BUFFER_SIZE = 64;
/** Default internal entity buffer size (1024). */
public static final int DEFAULT_INTERNAL_BUFFER_SIZE = 1024;