# HG changeset patch # User xuelei # Date 1382589172 25200 # Node ID 4d306e39ea231e2a08956cf2c64e320a4cc78d8c # Parent 3dd8ae9c848ccfa6b145ab0943c7040b2eec38a5 8026417: Enhance XML canonicalization Summary: Copy before use mutable byte arrays. Also reviewed by Alexander Fomin Reviewed-by: weijun, mullan, hawtin, ahgross diff -r 3dd8ae9c848c -r 4d306e39ea23 src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java --- a/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java Tue Oct 15 11:34:38 2013 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java Wed Oct 23 21:32:52 2013 -0700 @@ -63,6 +63,9 @@ public abstract class CanonicalizerBase extends CanonicalizerSpi { //Constants to be outputed, In char array form, so //less garbage is generate when outputed. + // + // Make sure you clone the following mutable arrays before passing to + // potentially untrusted objects such as OutputStreams. private static final byte[] _END_PI = {'?','>'}; private static final byte[] _BEGIN_PI = {'<','?'}; private static final byte[] _END_COMM = {'-','-','>'}; @@ -75,10 +78,11 @@ private static final byte[] _LT_ = {'&','l','t',';'}; private static final byte[] _END_TAG = {'<','/'}; private static final byte[] _AMP_ = {'&','a','m','p',';'}; + private static final byte[] _EQUALS_STR = {'=','\"'}; + final static AttrCompare COMPARE=new AttrCompare(); final static String XML="xml"; final static String XMLNS="xmlns"; - final static byte[] equalsStr= {'=','\"'}; static final int NODE_BEFORE_DOCUMENT_ELEMENT = -1; static final int NODE_NOT_BEFORE_OR_AFTER_DOCUMENT_ELEMENT = 0; static final int NODE_AFTER_DOCUMENT_ELEMENT = 1; @@ -309,7 +313,7 @@ writer.write('>'); sibling= currentNode.getFirstChild(); if (sibling==null) { - writer.write(_END_TAG); + writer.write(_END_TAG.clone()); UtfHelpper.writeStringToUtf8(name,writer); writer.write('>'); //We fineshed with this level, pop to the previous definitions. @@ -323,7 +327,7 @@ break; } while (sibling==null && parentNode!=null) { - writer.write(_END_TAG); + writer.write(_END_TAG.clone()); UtfHelpper.writeByte(((Element)parentNode).getTagName(),writer,cache); writer.write('>'); //We fineshed with this level, pop to the previous definitions. @@ -479,7 +483,7 @@ if (sibling==null) { if (currentNodeIsVisible) { - writer.write(_END_TAG); + writer.write(_END_TAG.clone()); UtfHelpper.writeByte(name,writer,cache); writer.write('>'); //We fineshed with this level, pop to the previous definitions. @@ -497,7 +501,7 @@ } while (sibling==null && parentNode!=null) { if (isVisible(parentNode)) { - writer.write(_END_TAG); + writer.write(_END_TAG.clone()); UtfHelpper.writeByte(((Element)parentNode).getTagName(),writer,cache); writer.write('>'); //We fineshed with this level, pop to the previous definitions. @@ -659,7 +663,7 @@ final Map cache) throws IOException { writer.write(' '); UtfHelpper.writeByte(name,writer,cache); - writer.write(equalsStr); + writer.write(_EQUALS_STR.clone()); byte []toWrite; final int length = value.length(); int i=0; @@ -669,27 +673,27 @@ switch (c) { case '&' : - toWrite=_AMP_; + toWrite=_AMP_.clone(); break; case '<' : - toWrite=_LT_; + toWrite=_LT_.clone(); break; case '"' : - toWrite=_QUOT_; + toWrite=_QUOT_.clone(); break; case 0x09 : // '\t' - toWrite=__X9_; + toWrite=__X9_.clone(); break; case 0x0A : // '\n' - toWrite=__XA_; + toWrite=__XA_.clone(); break; case 0x0D : // '\r' - toWrite=__XD_; + toWrite=__XD_.clone(); break; default : @@ -718,7 +722,7 @@ if (position == NODE_AFTER_DOCUMENT_ELEMENT) { writer.write('\n'); } - writer.write(_BEGIN_PI); + writer.write(_BEGIN_PI.clone()); final String target = currentPI.getTarget(); int length = target.length(); @@ -726,7 +730,7 @@ for (int i = 0; i < length; i++) { char c=target.charAt(i); if (c==0x0D) { - writer.write(__XD_); + writer.write(__XD_.clone()); } else { if (c < 0x80) { writer.write(c); @@ -746,14 +750,14 @@ for (int i = 0; i < length; i++) { char c=data.charAt(i); if (c==0x0D) { - writer.write(__XD_); + writer.write(__XD_.clone()); } else { UtfHelpper.writeCharToUtf8(c,writer); } } } - writer.write(_END_PI); + writer.write(_END_PI.clone()); if (position == NODE_BEFORE_DOCUMENT_ELEMENT) { writer.write('\n'); } @@ -770,7 +774,7 @@ if (position == NODE_AFTER_DOCUMENT_ELEMENT) { writer.write('\n'); } - writer.write(_BEGIN_COMM); + writer.write(_BEGIN_COMM.clone()); final String data = currentComment.getData(); final int length = data.length(); @@ -778,7 +782,7 @@ for (int i = 0; i < length; i++) { char c=data.charAt(i); if (c==0x0D) { - writer.write(__XD_); + writer.write(__XD_.clone()); } else { if (c < 0x80) { writer.write(c); @@ -788,7 +792,7 @@ } } - writer.write(_END_COMM); + writer.write(_END_COMM.clone()); if (position == NODE_BEFORE_DOCUMENT_ELEMENT) { writer.write('\n'); } @@ -810,19 +814,19 @@ switch (c) { case '&' : - toWrite=_AMP_; + toWrite=_AMP_.clone(); break; case '<' : - toWrite=_LT_; + toWrite=_LT_.clone(); break; case '>' : - toWrite=_GT_; + toWrite=_GT_.clone(); break; case 0xD : - toWrite=__XD_; + toWrite=__XD_.clone(); break; default :