# HG changeset patch # User joehw # Date 1381419046 -3600 # Node ID f5d8437f44075f5a30ec0c389fe4bdd5ff9eb630 # Parent d31a609466d976c7d0ea80f9cfc4bf805ed19b9f 8012425: Transform TransformerFactory Reviewed-by: alanb, dfuchs, mullan diff -r d31a609466d9 -r f5d8437f4407 src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java --- a/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java Thu Oct 10 16:18:30 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java Thu Oct 10 16:30:46 2013 +0100 @@ -261,6 +261,7 @@ _tfactory = tfactory; _useServicesMechanism = _tfactory.useServicesMechnism(); _readerManager = XMLReaderManager.getInstance(_useServicesMechanism); + _readerManager.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, _isSecureProcessing); //_isIncremental = tfactory._incremental; } @@ -276,6 +277,7 @@ */ public void setSecureProcessing(boolean flag) { _isSecureProcessing = flag; + _readerManager.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, _isSecureProcessing); } /** * Return the state of the services mechanism feature. diff -r d31a609466d9 -r f5d8437f4407 src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java --- a/src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java Thu Oct 10 16:18:30 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java Thu Oct 10 16:30:46 2013 +0100 @@ -105,6 +105,13 @@ if (reader == null) { try { reader= XMLReaderFactory.createXMLReader(); + try { + reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, + xsltc.isSecureProcessing()); + } catch (SAXNotRecognizedException e) { + System.err.println("Warning: " + reader.getClass().getName() + ": " + + e.getMessage()); + } } catch (Exception e ) { try { diff -r d31a609466d9 -r f5d8437f4407 src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java --- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Thu Oct 10 16:18:30 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Thu Oct 10 16:30:46 2013 +0100 @@ -20,27 +20,27 @@ package com.sun.org.apache.xerces.internal.jaxp.validation; -import java.lang.ref.SoftReference; -import java.io.IOException; - -import javax.xml.transform.Result; -import javax.xml.transform.Source; -import javax.xml.transform.sax.SAXTransformerFactory; -import javax.xml.transform.sax.TransformerHandler; -import javax.xml.transform.stream.StreamSource; -import javax.xml.transform.stream.StreamResult; -import javax.xml.transform.TransformerConfigurationException; -import javax.xml.transform.TransformerFactory; -import javax.xml.transform.TransformerFactoryConfigurationError; - import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter; import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter; import com.sun.org.apache.xerces.internal.parsers.XML11Configuration; +import com.sun.org.apache.xerces.internal.util.SecurityManager; import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource; import com.sun.org.apache.xerces.internal.xni.parser.XMLParseException; import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration; +import java.io.IOException; +import java.lang.ref.SoftReference; +import javax.xml.XMLConstants; +import javax.xml.transform.Result; +import javax.xml.transform.Source; +import javax.xml.transform.TransformerConfigurationException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.transform.sax.SAXTransformerFactory; +import javax.xml.transform.sax.TransformerHandler; +import javax.xml.transform.stream.StreamResult; +import javax.xml.transform.stream.StreamSource; import org.xml.sax.SAXException; /** @@ -85,6 +85,11 @@ Constants.XERCES_PROPERTY_PREFIX + Constants.VALIDATION_MANAGER_PROPERTY; private static final String DEFAULT_TRANSFORMER_IMPL = "com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl"; + + /** Property id: security manager. */ + private static final String SECURITY_MANAGER = + Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; + // // Data // @@ -164,6 +169,9 @@ private XMLParserConfiguration initialize() { XML11Configuration config = new XML11Configuration(); + if (fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) { + config.setProperty(SECURITY_MANAGER, new SecurityManager()); + } config.setProperty(ENTITY_RESOLVER, fComponentManager.getProperty(ENTITY_RESOLVER)); config.setProperty(ERROR_HANDLER, fComponentManager.getProperty(ERROR_HANDLER)); XMLErrorReporter errorReporter = (XMLErrorReporter) fComponentManager.getProperty(ERROR_REPORTER); diff -r d31a609466d9 -r f5d8437f4407 src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java --- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Thu Oct 10 16:18:30 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Thu Oct 10 16:30:46 2013 +0100 @@ -674,6 +674,8 @@ SAXParserFactory.newInstance() : new SAXParserFactoryImpl(); spf.setNamespaceAware(true); try { + spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, + fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)); reader = spf.newSAXParser().getXMLReader(); // If this is a Xerces SAX parser, set the security manager if there is one if (reader instanceof com.sun.org.apache.xerces.internal.parsers.SAXParser) { diff -r d31a609466d9 -r f5d8437f4407 src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java --- a/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java Thu Oct 10 16:18:30 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java Thu Oct 10 16:30:46 2013 +0100 @@ -20,16 +20,13 @@ package com.sun.org.apache.xerces.internal.parsers; -import java.io.IOException; -import java.util.Locale; - import com.sun.org.apache.xerces.internal.impl.Constants; -import com.sun.org.apache.xerces.internal.util.Status; -import com.sun.org.apache.xerces.internal.xs.PSVIProvider; +import com.sun.org.apache.xerces.internal.util.EntityResolver2Wrapper; import com.sun.org.apache.xerces.internal.util.EntityResolverWrapper; -import com.sun.org.apache.xerces.internal.util.EntityResolver2Wrapper; import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper; import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter; +import com.sun.org.apache.xerces.internal.util.SecurityManager; +import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.SymbolHash; import com.sun.org.apache.xerces.internal.util.XMLSymbols; import com.sun.org.apache.xerces.internal.xni.Augmentations; @@ -48,15 +45,17 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration; import com.sun.org.apache.xerces.internal.xs.AttributePSVI; import com.sun.org.apache.xerces.internal.xs.ElementPSVI; +import com.sun.org.apache.xerces.internal.xs.PSVIProvider; +import java.io.IOException; +import java.util.Locale; +import javax.xml.XMLConstants; import org.xml.sax.AttributeList; -import org.xml.sax.Attributes; import org.xml.sax.ContentHandler; import org.xml.sax.DTDHandler; import org.xml.sax.DocumentHandler; import org.xml.sax.EntityResolver; import org.xml.sax.ErrorHandler; import org.xml.sax.InputSource; -import org.xml.sax.Locator; import org.xml.sax.Parser; import org.xml.sax.SAXException; import org.xml.sax.SAXNotRecognizedException; @@ -131,6 +130,10 @@ protected static final String DOM_NODE = Constants.SAX_PROPERTY_PREFIX + Constants.DOM_NODE_PROPERTY; + /** Property id: security manager. */ + private static final String SECURITY_MANAGER = + Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; + /** Recognized properties. */ private static final String[] RECOGNIZED_PROPERTIES = { LEXICAL_HANDLER, @@ -1645,19 +1648,13 @@ // Drop through and perform default processing // } - - // - // Xerces Features - // - - /* - else if (featureId.startsWith(XERCES_FEATURES_PREFIX)) { - String feature = featureId.substring(XERCES_FEATURES_PREFIX.length()); - // - // Drop through and perform default processing - // + else if (featureId.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) { + if (state) { + if (fConfiguration.getProperty(SECURITY_MANAGER )==null) { + fConfiguration.setProperty(SECURITY_MANAGER, new SecurityManager()); + } + } } - */ // // Default handling diff -r d31a609466d9 -r f5d8437f4407 src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java --- a/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java Thu Oct 10 16:18:30 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java Thu Oct 10 16:30:46 2013 +0100 @@ -20,11 +20,6 @@ package com.sun.org.apache.xerces.internal.parsers; -import java.io.IOException; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.Locale; - import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.impl.XML11DTDScannerImpl; import com.sun.org.apache.xerces.internal.impl.XML11DocumentScannerImpl; @@ -68,6 +63,11 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLErrorHandler; import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource; import com.sun.org.apache.xerces.internal.xni.parser.XMLPullParserConfiguration; +import java.io.IOException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Locale; +import javax.xml.XMLConstants; /** * This class is the configuration used to parse XML 1.0 and XML 1.1 documents. @@ -443,26 +443,26 @@ XMLGrammarPool grammarPool, XMLComponentManager parentSettings) { - super(parentSettings); + super(parentSettings); - // create a vector to hold all the components in use - // XML 1.0 specialized components - fComponents = new ArrayList(); - // XML 1.1 specialized components - fXML11Components = new ArrayList(); - // Common components for XML 1.1. and XML 1.0 - fCommonComponents = new ArrayList(); + // create a vector to hold all the components in use + // XML 1.0 specialized components + fComponents = new ArrayList(); + // XML 1.1 specialized components + fXML11Components = new ArrayList(); + // Common components for XML 1.1. and XML 1.0 + fCommonComponents = new ArrayList(); - // create table for features and properties - fFeatures = new HashMap(); - fProperties = new HashMap(); + // create table for features and properties + fFeatures = new HashMap(); + fProperties = new HashMap(); // add default recognized features final String[] recognizedFeatures = { CONTINUE_AFTER_FATAL_ERROR, LOAD_EXTERNAL_DTD, // from XMLDTDScannerImpl - VALIDATION, - NAMESPACES, + VALIDATION, + NAMESPACES, NORMALIZE_DATA, SCHEMA_ELEMENT_DEFAULT, SCHEMA_AUGMENT_PSVI, GENERATE_SYNTHETIC_ANNOTATIONS, VALIDATE_ANNOTATIONS, HONOUR_ALL_SCHEMALOCATIONS, NAMESPACE_GROWTH, @@ -473,28 +473,32 @@ // features might not have been set and it would cause a // not-recognized exception to be thrown. -Ac XMLSCHEMA_VALIDATION, XMLSCHEMA_FULL_CHECKING, - EXTERNAL_GENERAL_ENTITIES, - EXTERNAL_PARAMETER_ENTITIES, - PARSER_SETTINGS + EXTERNAL_GENERAL_ENTITIES, + EXTERNAL_PARAMETER_ENTITIES, + PARSER_SETTINGS, + XMLConstants.FEATURE_SECURE_PROCESSING }; + addRecognizedFeatures(recognizedFeatures); // set state for default features - fFeatures.put(VALIDATION, Boolean.FALSE); - fFeatures.put(NAMESPACES, Boolean.TRUE); - fFeatures.put(EXTERNAL_GENERAL_ENTITIES, Boolean.TRUE); - fFeatures.put(EXTERNAL_PARAMETER_ENTITIES, Boolean.TRUE); - fFeatures.put(CONTINUE_AFTER_FATAL_ERROR, Boolean.FALSE); - fFeatures.put(LOAD_EXTERNAL_DTD, Boolean.TRUE); - fFeatures.put(SCHEMA_ELEMENT_DEFAULT, Boolean.TRUE); - fFeatures.put(NORMALIZE_DATA, Boolean.TRUE); - fFeatures.put(SCHEMA_AUGMENT_PSVI, Boolean.TRUE); + // set state for default features + fFeatures.put(VALIDATION, Boolean.FALSE); + fFeatures.put(NAMESPACES, Boolean.TRUE); + fFeatures.put(EXTERNAL_GENERAL_ENTITIES, Boolean.TRUE); + fFeatures.put(EXTERNAL_PARAMETER_ENTITIES, Boolean.TRUE); + fFeatures.put(CONTINUE_AFTER_FATAL_ERROR, Boolean.FALSE); + fFeatures.put(LOAD_EXTERNAL_DTD, Boolean.TRUE); + fFeatures.put(SCHEMA_ELEMENT_DEFAULT, Boolean.TRUE); + fFeatures.put(NORMALIZE_DATA, Boolean.TRUE); + fFeatures.put(SCHEMA_AUGMENT_PSVI, Boolean.TRUE); fFeatures.put(GENERATE_SYNTHETIC_ANNOTATIONS, Boolean.FALSE); fFeatures.put(VALIDATE_ANNOTATIONS, Boolean.FALSE); fFeatures.put(HONOUR_ALL_SCHEMALOCATIONS, Boolean.FALSE); fFeatures.put(NAMESPACE_GROWTH, Boolean.FALSE); fFeatures.put(TOLERATE_DUPLICATES, Boolean.FALSE); fFeatures.put(USE_GRAMMAR_POOL_ONLY, Boolean.FALSE); - fFeatures.put(PARSER_SETTINGS, Boolean.TRUE); + fFeatures.put(PARSER_SETTINGS, Boolean.TRUE); + fFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); // add default recognized properties final String[] recognizedProperties = diff -r d31a609466d9 -r f5d8437f4407 src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java --- a/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java Thu Oct 10 16:18:30 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java Thu Oct 10 16:30:46 2013 +0100 @@ -26,6 +26,7 @@ import com.sun.org.apache.xalan.internal.utils.FactoryImpl; import java.util.HashMap; +import javax.xml.XMLConstants; import javax.xml.parsers.FactoryConfigurationError; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParserFactory; @@ -33,6 +34,7 @@ import org.xml.sax.XMLReader; import org.xml.sax.helpers.XMLReaderFactory; import org.xml.sax.SAXException; +import org.xml.sax.SAXNotRecognizedException; /** * Creates XMLReader objects and caches them for re-use. @@ -63,6 +65,8 @@ private HashMap m_inUse; private boolean m_useServicesMechanism = true; + + private boolean _secureProcessing; /** * Hidden constructor */ @@ -113,7 +117,12 @@ // TransformerFactory creates a reader via the // XMLReaderFactory if setXMLReader is not used reader = XMLReaderFactory.createXMLReader(); - + try { + reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, _secureProcessing); + } catch (SAXNotRecognizedException e) { + System.err.println("Warning: " + reader.getClass().getName() + ": " + + e.getMessage()); + } } catch (Exception e) { try { // If unable to create an instance, let's try to use @@ -181,4 +190,13 @@ m_useServicesMechanism = flag; } + /** + * Set feature + */ + public void setFeature(String name, boolean value) { + if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) { + _secureProcessing = value; + } + } + }