Mercurial > hg > release > icedtea7-forest-2.5 > jaxp
changeset 852:e9b2b5130b07
Merge
| author | Goetz |
|---|---|
| date | Mon, 03 Jun 2013 15:27:00 +0200 |
| parents | 601174c87338 (current diff) 52bcce690998 (diff) |
| children | 78bd066359f2 |
| files | .hgtags |
| diffstat | 196 files changed, 2937 insertions(+), 3417 deletions(-) [+] |
line wrap: on
line diff
--- a/.hgtags Tue Mar 12 09:57:47 2013 +0100 +++ b/.hgtags Mon Jun 03 15:27:00 2013 +0200 @@ -216,6 +216,8 @@ 78d9e4853388a2e7be18ff18c0b5330c074cb514 jdk7u9-b02 b12a2d557c5e302b614c5f7e25ad6c8a0e138742 jdk7u9-b04 ab4bbb93b3831aca230c62431f7fe02b56793450 jdk7u9-b05 +039b21e98d2b2d0b26a19c325b37ce522bae39de jdk7u9-b31 +d80a8e81fef0bc6e0bdb7891895bda527853add1 jdk7u9-b32 254ed6ae237ee631179819570cf7fb265c6fb3a8 jdk7u10-b10 c1df39bcc9c1bcdfb2a92682650264b3b7771ce8 jdk7u10-b11 00cfd60368048c4969785eb52ec50cf5691c4367 jdk7u10-b12 @@ -226,8 +228,11 @@ 86c75e6aa3a7fa9a587fc7dd2d08af8aa8ffb9a9 jdk7u10-b17 162a2c6ad8718a63253fa53724f704a4f85731bc jdk7u10-b18 c59eb287de720ae5ce8087f179ec01f4f6525a32 jdk7u10-b30 +ec1e8ead41ee49d2b3f84a26ae0fac88e226692d jdk7u10-b31 853059839d38432f86e345ba951397ede235a374 jdk7u11-b20 453a52320a1b8bd425fdb55e14b64067b536f1e2 jdk7u11-b21 +71353182d3f7c237047c5386d9f31186a5bd1519 jdk7u11-b32 +af8f33c558d05aacdff5b5787be0cbaba9f10e98 jdk7u11-b33 5df9207c4378b7f4b24d70b365714c5ee6318982 jdk7u11-b03 6ee19b9c8313db32e6d8989aa3782830d2b09710 jdk7u11-b04 3312b258392eaeab9c4a20e3deb36d3ae3337efe jdk7u11-b05 @@ -235,6 +240,8 @@ 225aa78c36e9b776c87e585329bbb7ee0e3259a3 jdk7u11-b07 48491f5a58172f0fbdf9b774842c2ec1a42f609a jdk7u11-b08 eb9d57159e5126cf4316c9571ac39324a8b442a8 jdk7u13-b09 +f9fe0d38b1103cb33073538c959d982e28ed7b11 jdk7u13-b10 +0a6a09e5174a4c15632ff7e06d6b215164e3fa15 jdk7u13-b30 f9fe0d38b1103cb33073538c959d982e28ed7b11 jdk7u13-b20 1365e7472a3b737dda4a73e06ad41718d667d9be jdk7u8-b01 0a313d4307930be3a64106b9b8c90f9342673aa0 jdk7u8-b02 @@ -261,3 +268,38 @@ 7038ca4959e50a02f797e639daffe6b2b4065f86 jdk7u14-b14 aa6fb94c5e7bc645f478b6f60c5e6e06bebcc2bf jdk7u14-b15 1d1e1fc3b88d2fda0c7da55ee3abb2b455e0d317 ppc-aix-port-b04 +99c114990b191f32e72c6158072033aec5816aaf jdk7u15-b01 +edbaa584f09a78d0ad3c73389faf20409a552e46 jdk7u15-b02 +14a9b60a2086f4e2f6ec43bee3375042946f6510 jdk7u15-b30 +de6df3c10ebc0f8c704a11ad86c8eea1e1cc1442 jdk7u15-b31 +039c31ff1fe6789859f2f55588218147623a9a9f jdk7u15-b33 +a55f67cfe182dc42a86aae836674eb8ba5b79891 jdk7u15-b03 +eb9d57159e5126cf4316c9571ac39324a8b442a8 jdk7u15-b32 +8a9867ee429440b657eb5852c4dae5f029356022 jdk7u17-b01 +7863a60ae4b4a0c7d762a95e77e589fafa4e50ae jdk7u17-b02 +a5e6594fc1ae20101b5d69632f65078d7a99b76d jdk7u17-b30 +8fb34202383ece5386acecc3a6c1dac68dccbf05 jdk7u17-b31 +0a6a09e5174a4c15632ff7e06d6b215164e3fa15 jdk7u21-b01 +99ed1a3d29509fee659aabec4810c896b7234d80 jdk7u21-b02 +38d4d23d167c5a623e6d771a15b1fe2ee771ce38 jdk7u21-b03 +acde12ee462d650d34cc148d9d3649f9a9bbca8a jdk7u21-b04 +56b1ad031df90d20c52941c15ceae0e5a90893b8 jdk7u21-b05 +ab51202418c1c96e01a45893a26829a2d9c7b956 jdk7u21-b06 +3ab71deee4a4477d89530ee9e92a36017a6092fa jdk7u21-b07 +f5ef2e76669bc3179f17dac42a8a407fb6bd4d91 jdk7u21-b08 +65977091d010402ccbed41c96748866a1d50f0c4 jdk7u21-b09 +bf2d62ea518d5e4130e442e07705e7a50b821ad9 jdk7u21-b10 +3e0e331bdfb8f3adfd0cc78118e0ac588e73a2b5 jdk7u21-b11 +980fe893d8fd86d8aee14771167b6e0ac75fa208 jdk7u21-b30 +a320a590b4cac6eeff53829bde520ef46880b006 jdk7u21-b12 +7b47e1a26f7cbb8d8d22ea165f2d7fbbbd354c77 jdk7u14-b16 +77ac1ef42b2fd47cc87b9800f63efdd4cf2fa05d jdk7u14-b17 +d47975f80a24b55410fa2e2c5f50f3405d83fe73 jdk7u14-b18 +331e489ecb7b19fa98c60324f7ce5d168284a8c8 jdk7u14-b19 +331e489ecb7b19fa98c60324f7ce5d168284a8c8 jdk7u14-b19 +c3c9f04cf10c2fe576b208f6a8ca3777b1d31145 jdk7u14-b19 +5e1fee011646b4a3ff29b7b9cdc208e0a0577cb4 jdk7u14-b20 +d1c8bb1cbc9183fc994b5fedf26886ceda0d59f9 jdk7u14-b21 +d1c6afebdfe28eb07eb2d03a6911a0f33b619165 jdk7u14-b22 +0e4c549d3635122145ac88bad7b98716976ca49e jdk7u40-b23 +d17acb2ee133811baa8eae3436a8c191fc433da1 jdk7u40-b24
--- a/src/com/sun/org/apache/bcel/internal/classfile/JavaClass.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/bcel/internal/classfile/JavaClass.java Mon Jun 03 15:27:00 2013 +0200 @@ -63,6 +63,7 @@ import com.sun.org.apache.bcel.internal.util.ClassVector; import com.sun.org.apache.bcel.internal.util.ClassQueue; import com.sun.org.apache.bcel.internal.generic.Type; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.io.*; import java.util.StringTokenizer; @@ -77,6 +78,7 @@ * class file. Those interested in programatically generating classes * should see the <a href="../generic/ClassGen.html">ClassGen</a> class. + * @version $Id: JavaClass.java,v 1.4 2007-07-19 04:34:42 ofung Exp $ * @see com.sun.org.apache.bcel.internal.generic.ClassGen * @author <A HREF="mailto:markus.dahm@berlin.de">M. Dahm</A> */ @@ -451,9 +453,9 @@ String debug = null, sep = null; try { - debug = System.getProperty("JavaClass.debug"); + debug = SecuritySupport.getSystemProperty("JavaClass.debug"); // Get path separator either / or \ usually - sep = System.getProperty("file.separator"); + sep = SecuritySupport.getSystemProperty("file.separator"); } catch (SecurityException e) { // falls through
--- a/src/com/sun/org/apache/bcel/internal/util/Class2HTML.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/bcel/internal/util/Class2HTML.java Mon Jun 03 15:27:00 2013 +0200 @@ -82,6 +82,7 @@ * method in the Method's frame will jump to the appropiate method in * the Code frame. * + * @version $Id: Class2HTML.java,v 1.3 2007-07-19 04:34:52 ofung Exp $ * @author <A HREF="mailto:markus.dahm@berlin.de">M. Dahm</A> */ public class Class2HTML implements Constants @@ -137,7 +138,7 @@ ClassParser parser=null; JavaClass java_class=null; String zip_file = null; - char sep = System.getProperty("file.separator").toCharArray()[0]; + char sep = SecuritySupport.getSystemProperty("file.separator").toCharArray()[0]; String dir = "." + sep; // Where to store HTML files try {
--- a/src/com/sun/org/apache/bcel/internal/util/ClassPath.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/bcel/internal/util/ClassPath.java Mon Jun 03 15:27:00 2013 +0200 @@ -66,6 +66,7 @@ * Responsible for loading (class) files from the CLASSPATH. Inspired by * sun.tools.ClassPath. * + * @version $Id: ClassPath.java,v 1.4 2007-07-19 04:34:52 ofung Exp $ * @author <A HREF="mailto:markus.dahm@berlin.de">M. Dahm</A> */ public class ClassPath implements Serializable { @@ -83,7 +84,7 @@ ArrayList vec = new ArrayList(); for(StringTokenizer tok=new StringTokenizer(class_path, - System.getProperty("path.separator")); + SecuritySupport.getSystemProperty("path.separator")); tok.hasMoreTokens();) { String path = tok.nextToken(); @@ -92,7 +93,7 @@ File file = new File(path); try { - if(file.exists()) { + if(SecuritySupport.getFileExists(file)) { if(file.isDirectory()) vec.add(new Dir(path)); else @@ -143,8 +144,9 @@ String name = tok.nextToken(); File file = new File(name); - if(file.exists()) + if(SecuritySupport.getFileExists(file)) { list.add(name); + } } } } @@ -159,9 +161,9 @@ String class_path, boot_path, ext_path; try { - class_path = System.getProperty("java.class.path"); - boot_path = System.getProperty("sun.boot.class.path"); - ext_path = System.getProperty("java.ext.dirs"); + class_path = SecuritySupport.getSystemProperty("java.class.path"); + boot_path = SecuritySupport.getSystemProperty("sun.boot.class.path"); + ext_path = SecuritySupport.getSystemProperty("java.ext.dirs"); } catch (SecurityException e) { return ""; @@ -176,8 +178,8 @@ getPathComponents(ext_path, dirs); for(Iterator e = dirs.iterator(); e.hasNext(); ) { - File ext_dir = new File((String)e.next()); - String[] extensions = ext_dir.list(new FilenameFilter() { + File ext_dir = new File((String)e.next()); + String[] extensions = SecuritySupport.getFileList(ext_dir, new FilenameFilter() { public boolean accept(File dir, String name) { name = name.toLowerCase(); return name.endsWith(".zip") || name.endsWith(".jar"); @@ -342,7 +344,7 @@ final File file = new File(dir + File.separatorChar + name.replace('.', File.separatorChar) + suffix); - return file.exists()? new ClassFile() { + return SecuritySupport.getFileExists(file)? new ClassFile() { public InputStream getInputStream() throws IOException { return new FileInputStream(file); } public String getPath() { try {
--- a/src/com/sun/org/apache/bcel/internal/util/JavaWrapper.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/bcel/internal/util/JavaWrapper.java Mon Jun 03 15:27:00 2013 +0200 @@ -72,6 +72,7 @@ * <pre>java com.sun.org.apache.bcel.internal.util.JavaWrapper -Dbcel.classloader=foo.MyLoader <real.class.name> [arguments]</pre> * </p> * + * @version $Id: JavaWrapper.java,v 1.3 2007-07-19 04:34:52 ofung Exp $ * @author <A HREF="mailto:markus.dahm@berlin.de">M. Dahm</A> * @see ClassLoader */ @@ -79,7 +80,7 @@ private java.lang.ClassLoader loader; private static java.lang.ClassLoader getClassLoader() { - String s = System.getProperty("bcel.classloader"); + String s = SecuritySupport.getSystemProperty("bcel.classloader"); if((s == null) || "".equals(s)) s = "com.sun.org.apache.bcel.internal.util.ClassLoader";
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/com/sun/org/apache/bcel/internal/util/SecuritySupport.java Mon Jun 03 15:27:00 2013 +0200 @@ -0,0 +1,223 @@ +/* + * reserved comment block + * DO NOT REMOVE OR ALTER! + */ +/* + * Copyright 2002-2004 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.sun.org.apache.bcel.internal.util; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FilenameFilter; +import java.io.InputStream; +import java.lang.ClassLoader; +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import java.util.ListResourceBundle; +import java.util.Locale; +import java.util.MissingResourceException; +import java.util.ResourceBundle; + +/** + * This class is duplicated for each subpackage so keep it in sync. It is + * package private and therefore is not exposed as part of any API. + * + * @xerces.internal + */ +public final class SecuritySupport { + + private static final SecuritySupport securitySupport = new SecuritySupport(); + + /** + * Return an instance of this class. + */ + public static SecuritySupport getInstance() { + return securitySupport; + } + + static ClassLoader getContextClassLoader() { + return (ClassLoader) AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + ClassLoader cl = null; + try { + cl = Thread.currentThread().getContextClassLoader(); + } catch (SecurityException ex) { + } + return cl; + } + }); + } + + static ClassLoader getSystemClassLoader() { + return (ClassLoader) AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + ClassLoader cl = null; + try { + cl = ClassLoader.getSystemClassLoader(); + } catch (SecurityException ex) { + } + return cl; + } + }); + } + + static ClassLoader getParentClassLoader(final ClassLoader cl) { + return (ClassLoader) AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + ClassLoader parent = null; + try { + parent = cl.getParent(); + } catch (SecurityException ex) { + } + + // eliminate loops in case of the boot + // ClassLoader returning itself as a parent + return (parent == cl) ? null : parent; + } + }); + } + + public static String getSystemProperty(final String propName) { + return (String) AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + return System.getProperty(propName); + } + }); + } + + static FileInputStream getFileInputStream(final File file) + throws FileNotFoundException { + try { + return (FileInputStream) AccessController.doPrivileged(new PrivilegedExceptionAction() { + public Object run() throws FileNotFoundException { + return new FileInputStream(file); + } + }); + } catch (PrivilegedActionException e) { + throw (FileNotFoundException) e.getException(); + } + } + + /** + * Return resource using the same classloader for the ObjectFactory by + * default or bootclassloader when Security Manager is in place + */ + public static InputStream getResourceAsStream(final String name) { + if (System.getSecurityManager() != null) { + return getResourceAsStream(null, name); + } else { + return getResourceAsStream(findClassLoader(), name); + } + } + + public static InputStream getResourceAsStream(final ClassLoader cl, + final String name) { + return (InputStream) AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + InputStream ris; + if (cl == null) { + ris = Object.class.getResourceAsStream("/" + name); + } else { + ris = cl.getResourceAsStream(name); + } + return ris; + } + }); + } + + /** + * Gets a resource bundle using the specified base name, the default locale, + * and the caller's class loader. + * + * @param bundle the base name of the resource bundle, a fully qualified + * class name + * @return a resource bundle for the given base name and the default locale + */ + public static ListResourceBundle getResourceBundle(String bundle) { + return getResourceBundle(bundle, Locale.getDefault()); + } + + /** + * Gets a resource bundle using the specified base name and locale, and the + * caller's class loader. + * + * @param bundle the base name of the resource bundle, a fully qualified + * class name + * @param locale the locale for which a resource bundle is desired + * @return a resource bundle for the given base name and locale + */ + public static ListResourceBundle getResourceBundle(final String bundle, final Locale locale) { + return AccessController.doPrivileged(new PrivilegedAction<ListResourceBundle>() { + public ListResourceBundle run() { + try { + return (ListResourceBundle) ResourceBundle.getBundle(bundle, locale); + } catch (MissingResourceException e) { + try { + return (ListResourceBundle) ResourceBundle.getBundle(bundle, new Locale("en", "US")); + } catch (MissingResourceException e2) { + throw new MissingResourceException( + "Could not load any resource bundle by " + bundle, bundle, ""); + } + } + } + }); + } + + public static String[] getFileList(final File f, final FilenameFilter filter) { + return ((String[]) AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + return f.list(filter); + } + })); + } + + public static boolean getFileExists(final File f) { + return ((Boolean) AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + return f.exists() ? Boolean.TRUE : Boolean.FALSE; + } + })).booleanValue(); + } + + static long getLastModified(final File f) { + return ((Long) AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + return new Long(f.lastModified()); + } + })).longValue(); + } + + + /** + * Figure out which ClassLoader to use. + */ + public static ClassLoader findClassLoader() + { + if (System.getSecurityManager()!=null) { + //this will ensure bootclassloader is used + return null; + } else { + return SecuritySupport.class.getClassLoader(); + } + } // findClassLoader():ClassLoader + + private SecuritySupport() { + } +}
--- a/src/com/sun/org/apache/xalan/internal/XalanConstants.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/XalanConstants.java Mon Jun 03 15:27:00 2013 +0200 @@ -25,9 +25,7 @@ package com.sun.org.apache.xalan.internal; -import com.sun.org.apache.xerces.internal.impl.*; -import java.util.Enumeration; -import java.util.NoSuchElementException; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; /** * Commonly used constants. @@ -42,19 +40,99 @@ // Constants // // Oracle Feature: - /** - * <p>Use Service Mechanism</p> - * - * <ul> - * <li> - * <code>true</code> instructs the implementation to use service mechanism to find implementation. - * This is the default behavior. + /** + * <p>Use Service Mechanism</p> + * + * <ul> + * <li> + * {@code true} instruct an object to use service mechanism to + * find a service implementation. This is the default behavior. * </li> * <li> - * <code>false</code> instructs the implementation to skip service mechanism and use the default implementation. - * </li> - * </ul> - */ + * {@code false} instruct an object to skip service mechanism and + * use the default implementation for that service. + * </li> + * </ul> + */ + public static final String ORACLE_FEATURE_SERVICE_MECHANISM = "http://www.oracle.com/feature/use-service-mechanism"; + /** Oracle JAXP property prefix ("http://www.oracle.com/xml/jaxp/properties/"). */ + public static final String ORACLE_JAXP_PROPERTY_PREFIX = + "http://www.oracle.com/xml/jaxp/properties/"; + + //System Properties corresponding to ACCESS_EXTERNAL_* properties + public static final String SP_ACCESS_EXTERNAL_STYLESHEET = "javax.xml.accessExternalStylesheet"; + public static final String SP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD"; + + + //all access keyword + public static final String ACCESS_EXTERNAL_ALL = "all"; + + /** + * Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true + */ + public static final String EXTERNAL_ACCESS_DEFAULT_FSP = ""; + /** + * JDK version by which the default is to restrict external connection + */ + public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8; + /** + * FEATURE_SECURE_PROCESSING (FSP) is false by default + */ + public static final String EXTERNAL_ACCESS_DEFAULT = getExternalAccessDefault(false); + + /** + * Determine the default value of the external access properties + * + * jaxp 1.5 does not require implementations to restrict by default + * + * For JDK8: + * The default value is 'file' (including jar:file); The keyword "all" grants permission + * to all protocols. When {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is on, + * the default value is an empty string indicating no access is allowed. + * + * For JDK7: + * The default value is 'all' granting permission to all protocols. If by default, + * {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is true, it should + * not change the default value. However, if {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} + * is set explicitly, the values of the properties shall be set to an empty string + * indicating no access is allowed. + * + * @param isSecureProcessing indicating if Secure Processing is set + * @return default value + */ + public static String getExternalAccessDefault(boolean isSecureProcessing) { + String defaultValue = "all"; + if (isJDKandAbove(RESTRICT_BY_DEFAULT_JDK_VERSION)) { + defaultValue = "file"; + if (isSecureProcessing) { + defaultValue = EXTERNAL_ACCESS_DEFAULT_FSP; + } + } + return defaultValue; + } + + /* + * Check the version of the current JDK against that specified in the + * parameter + * + * There is a proposal to change the java version string to: + * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL + * This method would work with both the current format and that proposed + * + * @param compareTo a JDK version to be compared to + * @return true if the current version is the same or above that represented + * by the parameter + */ + public static boolean isJDKandAbove(int compareTo) { + String javaVersion = SecuritySupport.getSystemProperty("java.version"); + String versions[] = javaVersion.split("\\.", 3); + if (Integer.parseInt(versions[0]) >= compareTo || + Integer.parseInt(versions[1]) >= compareTo) { + return true; + } + return false; + } + } // class Constants
--- a/src/com/sun/org/apache/xalan/internal/res/XSLMessages.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/res/XSLMessages.java Mon Jun 03 15:27:00 2013 +0200 @@ -22,68 +22,72 @@ */ package com.sun.org.apache.xalan.internal.res; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.util.ListResourceBundle; import com.sun.org.apache.xpath.internal.res.XPATHMessages; /** - * Sets things up for issuing error messages. This class is misnamed, and - * should be called XalanMessages, or some such. + * Sets things up for issuing error messages. This class is misnamed, and should + * be called XalanMessages, or some such. + * * @xsl.usage internal */ -public class XSLMessages extends XPATHMessages -{ +public class XSLMessages extends XPATHMessages { - /** The language specific resource object for Xalan messages. */ - private static ListResourceBundle XSLTBundle = null; - - /** The class name of the Xalan error message string table. */ - private static final String XSLT_ERROR_RESOURCES = - "com.sun.org.apache.xalan.internal.res.XSLTErrorResources"; + /** + * The language specific resource object for Xalan messages. + */ + private static ListResourceBundle XSLTBundle = null; + /** + * The class name of the Xalan error message string table. + */ + private static final String XSLT_ERROR_RESOURCES = + "com.sun.org.apache.xalan.internal.res.XSLTErrorResources"; - /** - * Creates a message from the specified key and replacement - * arguments, localized to the given locale. - * - * @param msgKey The key for the message text. - * @param args The arguments to be used as replacement text - * in the message created. - * - * @return The formatted message string. - */ - public static final String createMessage(String msgKey, Object args[]) //throws Exception - { - if (XSLTBundle == null) - XSLTBundle = loadResourceBundle(XSLT_ERROR_RESOURCES); - - if (XSLTBundle != null) + /** + * Creates a message from the specified key and replacement arguments, + * localized to the given locale. + * + * @param msgKey The key for the message text. + * @param args The arguments to be used as replacement text in the message + * created. + * + * @return The formatted message string. + */ + public static String createMessage(String msgKey, Object args[]) //throws Exception { - return createMsg(XSLTBundle, msgKey, args); + if (XSLTBundle == null) { + XSLTBundle = SecuritySupport.getResourceBundle(XSLT_ERROR_RESOURCES); + } + + if (XSLTBundle != null) { + return createMsg(XSLTBundle, msgKey, args); + } else { + return "Could not load any resource bundles."; + } } - else - return "Could not load any resource bundles."; - } - /** - * Creates a message from the specified key and replacement - * arguments, localized to the given locale. - * - * @param msgKey The key for the message text. - * @param args The arguments to be used as replacement text - * in the message created. - * - * @return The formatted warning string. - */ - public static final String createWarning(String msgKey, Object args[]) //throws Exception - { - if (XSLTBundle == null) - XSLTBundle = loadResourceBundle(XSLT_ERROR_RESOURCES); + /** + * Creates a message from the specified key and replacement arguments, + * localized to the given locale. + * + * @param msgKey The key for the message text. + * @param args The arguments to be used as replacement text in the message + * created. + * + * @return The formatted warning string. + */ + public static String createWarning(String msgKey, Object args[]) //throws Exception + { + if (XSLTBundle == null) { + XSLTBundle = SecuritySupport.getResourceBundle(XSLT_ERROR_RESOURCES); + } - if (XSLTBundle != null) - { - return createMsg(XSLTBundle, msgKey, args); + if (XSLTBundle != null) { + return createMsg(XSLTBundle, msgKey, args); + } else { + return "Could not load any resource bundles."; + } } - else - return "Could not load any resource bundles."; - } }
--- a/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources.java Mon Jun 03 15:27:00 2013 +0200 @@ -1448,68 +1448,4 @@ public static final String QUERY_HEADER = "PATTERN "; - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XSLTErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XSLTErrorResources) ResourceBundle.getBundle(className - + suffix, locale); } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XSLTErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - - -}
--- a/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_de.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_de.java Mon Jun 03 15:27:00 2013 +0200 @@ -1448,68 +1448,4 @@ public static final String QUERY_HEADER = "PATTERN "; - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XSLTErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XSLTErrorResources) ResourceBundle.getBundle(className - + suffix, locale); } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XSLTErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - - -}
--- a/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_es.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_es.java Mon Jun 03 15:27:00 2013 +0200 @@ -1448,68 +1448,4 @@ public static final String QUERY_HEADER = "PATTERN "; - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XSLTErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XSLTErrorResources) ResourceBundle.getBundle(className - + suffix, locale); } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XSLTErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - - -}
--- a/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_fr.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_fr.java Mon Jun 03 15:27:00 2013 +0200 @@ -1448,68 +1448,4 @@ public static final String QUERY_HEADER = "PATTERN "; - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XSLTErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XSLTErrorResources) ResourceBundle.getBundle(className - + suffix, locale); } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XSLTErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - - -}
--- a/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_it.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_it.java Mon Jun 03 15:27:00 2013 +0200 @@ -1448,68 +1448,4 @@ public static final String QUERY_HEADER = "PATTERN "; - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XSLTErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XSLTErrorResources) ResourceBundle.getBundle(className - + suffix, locale); } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XSLTErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - - -}
--- a/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_ja.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_ja.java Mon Jun 03 15:27:00 2013 +0200 @@ -1448,68 +1448,4 @@ public static final String QUERY_HEADER = "PATTERN "; - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XSLTErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XSLTErrorResources) ResourceBundle.getBundle(className - + suffix, locale); } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XSLTErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - - -}
--- a/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_ko.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_ko.java Mon Jun 03 15:27:00 2013 +0200 @@ -1448,68 +1448,4 @@ public static final String QUERY_HEADER = "PATTERN "; - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XSLTErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XSLTErrorResources) ResourceBundle.getBundle(className - + suffix, locale); } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XSLTErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - - -}
--- a/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_pt_BR.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_pt_BR.java Mon Jun 03 15:27:00 2013 +0200 @@ -1449,68 +1449,5 @@ public static final String QUERY_HEADER = "PATTERN "; - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XSLTErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XSLTErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XSLTErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_sv.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_sv.java Mon Jun 03 15:27:00 2013 +0200 @@ -1448,68 +1448,4 @@ public static final String QUERY_HEADER = "PATTERN "; - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XSLTErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XSLTErrorResources) ResourceBundle.getBundle(className - + suffix, locale); } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XSLTErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - - -}
--- a/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_zh_CN.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_zh_CN.java Mon Jun 03 15:27:00 2013 +0200 @@ -1448,68 +1448,4 @@ public static final String QUERY_HEADER = "PATTERN "; - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XSLTErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XSLTErrorResources) ResourceBundle.getBundle(className - + suffix, locale); } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XSLTErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - - -}
--- a/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_zh_TW.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/res/XSLTErrorResources_zh_TW.java Mon Jun 03 15:27:00 2013 +0200 @@ -1448,68 +1448,4 @@ public static final String QUERY_HEADER = "PATTERN "; - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XSLTErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XSLTErrorResources) ResourceBundle.getBundle(className - + suffix, locale); } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XSLTErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - - -}
--- a/src/com/sun/org/apache/xalan/internal/utils/ObjectFactory.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/utils/ObjectFactory.java Mon Jun 03 15:27:00 2013 +0200 @@ -54,6 +54,8 @@ // // Constants // + private static final String XALAN_INTERNAL = "com.sun.org.apache.xalan.internal"; + private static final String XERCES_INTERNAL = "com.sun.org.apache.xerces.internal"; // name of default properties file to look for in JDK's jre/lib directory private static final String DEFAULT_PROPERTIES_FILENAME = @@ -514,12 +516,17 @@ //class. Restrict the access to the package classes as specified in java.security policy. SecurityManager security = System.getSecurityManager(); try{ - if (security != null){ + if (security != null){ + if (className.startsWith(XALAN_INTERNAL) || + className.startsWith(XERCES_INTERNAL)) { + cl = null; + } else { final int lastDot = className.lastIndexOf("."); String packageName = className; if (lastDot != -1) packageName = className.substring(0, lastDot); security.checkPackageAccess(packageName); - } + } + } }catch(SecurityException e){ throw e; }
--- a/src/com/sun/org/apache/xalan/internal/utils/SecuritySupport.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/utils/SecuritySupport.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,16 +26,23 @@ import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; +import java.io.IOException; import java.io.InputStream; +import java.net.URL; import java.security.AccessController; import java.security.PrivilegedAction; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; +import java.util.ListResourceBundle; +import java.util.Locale; +import java.util.MissingResourceException; +import java.util.ResourceBundle; +import java.util.Properties; /** - * This class is duplicated for each subpackage so keep it in sync. - * It is package private and therefore is not exposed as part of any API. + * This class is duplicated for each subpackage so keep it in sync. It is + * package private and therefore is not exposed as part of any API. * * @xerces.internal */ @@ -51,39 +58,39 @@ } static ClassLoader getContextClassLoader() { - return (ClassLoader) - AccessController.doPrivileged(new PrivilegedAction() { + return (ClassLoader) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { ClassLoader cl = null; try { cl = Thread.currentThread().getContextClassLoader(); - } catch (SecurityException ex) { } + } catch (SecurityException ex) { + } return cl; } }); } static ClassLoader getSystemClassLoader() { - return (ClassLoader) - AccessController.doPrivileged(new PrivilegedAction() { + return (ClassLoader) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { ClassLoader cl = null; try { cl = ClassLoader.getSystemClassLoader(); - } catch (SecurityException ex) {} + } catch (SecurityException ex) { + } return cl; } }); } static ClassLoader getParentClassLoader(final ClassLoader cl) { - return (ClassLoader) - AccessController.doPrivileged(new PrivilegedAction() { + return (ClassLoader) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { ClassLoader parent = null; try { parent = cl.getParent(); - } catch (SecurityException ex) {} + } catch (SecurityException ex) { + } // eliminate loops in case of the boot // ClassLoader returning itself as a parent @@ -93,20 +100,25 @@ } public static String getSystemProperty(final String propName) { - return (String) - AccessController.doPrivileged(new PrivilegedAction() { + return (String) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { return System.getProperty(propName); } }); } + public static String getSystemProperty(final String propName, final String def) { + return (String) AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + return System.getProperty(propName, def); + } + }); + } + static FileInputStream getFileInputStream(final File file) - throws FileNotFoundException - { + throws FileNotFoundException { try { - return (FileInputStream) - AccessController.doPrivileged(new PrivilegedExceptionAction() { + return (FileInputStream) AccessController.doPrivileged(new PrivilegedExceptionAction() { public Object run() throws FileNotFoundException { return new FileInputStream(file); } @@ -115,9 +127,10 @@ throw (FileNotFoundException)e.getException(); } } + /** - * Return resource using the same classloader for the ObjectFactory by default - * or bootclassloader when Security Manager is in place + * Return resource using the same classloader for the ObjectFactory by + * default or bootclassloader when Security Manager is in place */ public static InputStream getResourceAsStream(final String name) { if (System.getSecurityManager()!=null) { @@ -128,10 +141,8 @@ } public static InputStream getResourceAsStream(final ClassLoader cl, - final String name) - { - return (InputStream) - AccessController.doPrivileged(new PrivilegedAction() { + final String name) { + return (InputStream) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { InputStream ris; if (cl == null) { @@ -144,9 +155,40 @@ }); } - static boolean getFileExists(final File f) { - return ((Boolean) - AccessController.doPrivileged(new PrivilegedAction() { + /** + * Gets a resource bundle using the specified base name, the default locale, and the caller's class loader. + * @param bundle the base name of the resource bundle, a fully qualified class name + * @return a resource bundle for the given base name and the default locale + */ + public static ListResourceBundle getResourceBundle(String bundle) { + return getResourceBundle(bundle, Locale.getDefault()); + } + + /** + * Gets a resource bundle using the specified base name and locale, and the caller's class loader. + * @param bundle the base name of the resource bundle, a fully qualified class name + * @param locale the locale for which a resource bundle is desired + * @return a resource bundle for the given base name and locale + */ + public static ListResourceBundle getResourceBundle(final String bundle, final Locale locale) { + return AccessController.doPrivileged(new PrivilegedAction<ListResourceBundle>() { + public ListResourceBundle run() { + try { + return (ListResourceBundle)ResourceBundle.getBundle(bundle, locale); + } catch (MissingResourceException e) { + try { + return (ListResourceBundle)ResourceBundle.getBundle(bundle, new Locale("en", "US")); + } catch (MissingResourceException e2) { + throw new MissingResourceException( + "Could not load any resource bundle by " + bundle, bundle, ""); + } + } + } + }); + } + + public static boolean getFileExists(final File f) { + return ((Boolean) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { return f.exists() ? Boolean.TRUE : Boolean.FALSE; } @@ -154,13 +196,148 @@ } static long getLastModified(final File f) { - return ((Long) - AccessController.doPrivileged(new PrivilegedAction() { + return ((Long) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { return new Long(f.lastModified()); } })).longValue(); } + /** + * Strip off path from an URI + * + * @param uri an URI with full path + * @return the file name only + */ + public static String sanitizePath(String uri) { + if (uri == null) { + return ""; + } + int i = uri.lastIndexOf("/"); + if (i > 0) { + return uri.substring(i+1, uri.length()); + } + return ""; + } + + /** + * Check the protocol used in the systemId against allowed protocols + * + * @param systemId the Id of the URI + * @param allowedProtocols a list of allowed protocols separated by comma + * @param accessAny keyword to indicate allowing any protocol + * @return the name of the protocol if rejected, null otherwise + */ + public static String checkAccess(String systemId, String allowedProtocols, String accessAny) throws IOException { + if (systemId == null || allowedProtocols.equalsIgnoreCase(accessAny)) { + return null; + } + + String protocol; + if (systemId.indexOf(":")==-1) { + protocol = "file"; + } else { + URL url = new URL(systemId); + protocol = url.getProtocol(); + if (protocol.equalsIgnoreCase("jar")) { + String path = url.getPath(); + protocol = path.substring(0, path.indexOf(":")); + } + } + + if (isProtocolAllowed(protocol, allowedProtocols)) { + //access allowed + return null; + } else { + return protocol; + } + } + + /** + * Check if the protocol is in the allowed list of protocols. The check + * is case-insensitive while ignoring whitespaces. + * + * @param protocol a protocol + * @param allowedProtocols a list of allowed protocols + * @return true if the protocol is in the list + */ + private static boolean isProtocolAllowed(String protocol, String allowedProtocols) { + String temp[] = allowedProtocols.split(","); + for (String t : temp) { + t = t.trim(); + if (t.equalsIgnoreCase(protocol)) { + return true; + } + } + return false; + } + + /** + * Read from $java.home/lib/jaxp.properties for the specified property + * + * @param propertyId the Id of the property + * @return the value of the property + */ + public static String getDefaultAccessProperty(String sysPropertyId, String defaultVal) { + String accessExternal = SecuritySupport.getSystemProperty(sysPropertyId); + if (accessExternal == null) { + accessExternal = readJAXPProperty(sysPropertyId); + if (accessExternal == null) { + accessExternal = defaultVal; + } + } + return accessExternal; + } + + /** + * Read from $java.home/lib/jaxp.properties for the specified property + * The program + * + * @param propertyId the Id of the property + * @return the value of the property + */ + static String readJAXPProperty(String propertyId) { + String value = null; + InputStream is = null; + try { + if (firstTime) { + synchronized (cacheProps) { + if (firstTime) { + String configFile = getSystemProperty("java.home") + File.separator + + "lib" + File.separator + "jaxp.properties"; + File f = new File(configFile); + if (getFileExists(f)) { + is = getFileInputStream(f); + cacheProps.load(is); + } + firstTime = false; + } + } + } + value = cacheProps.getProperty(propertyId); + + } + catch (Exception ex) {} + finally { + if (is != null) { + try { + is.close(); + } catch (IOException ex) {} + } + } + + return value; + } + + /** + * Cache for properties in java.home/lib/jaxp.properties + */ + static final Properties cacheProps = new Properties(); + + /** + * Flag indicating if the program has tried reading java.home/lib/jaxp.properties + */ + static volatile boolean firstTime = true; + private SecuritySupport () {} }
--- a/src/com/sun/org/apache/xalan/internal/xslt/EnvironmentCheck.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xslt/EnvironmentCheck.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,6 +23,7 @@ package com.sun.org.apache.xalan.internal.xslt; import com.sun.org.apache.xalan.internal.utils.ObjectFactory; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.io.File; import java.io.FileWriter; @@ -574,7 +575,7 @@ // Grab java version for later use try { - String javaVersion = System.getProperty("java.version"); + String javaVersion = SecuritySupport.getSystemProperty("java.version"); h.put("java.version", javaVersion); } @@ -593,7 +594,7 @@ { // This is present in all JVM's - String cp = System.getProperty("java.class.path"); + String cp = SecuritySupport.getSystemProperty("java.class.path"); h.put("java.class.path", cp); @@ -603,7 +604,7 @@ h.put(FOUNDCLASSES + "java.class.path", classpathJars); // Also check for JDK 1.2+ type classpaths - String othercp = System.getProperty("sun.boot.class.path"); + String othercp = SecuritySupport.getSystemProperty("sun.boot.class.path"); if (null != othercp) { @@ -617,7 +618,7 @@ //@todo NOTE: We don't actually search java.ext.dirs for // *.jar files therein! This should be updated - othercp = System.getProperty("java.ext.dirs"); + othercp = SecuritySupport.getSystemProperty("java.ext.dirs"); if (null != othercp) { @@ -1005,7 +1006,7 @@ { Class clazz = ObjectFactory.findProviderClass(DOM_CLASS, true); - Method method = clazz.getMethod(DOM_LEVEL3_METHOD, null); + Method method = clazz.getMethod(DOM_LEVEL3_METHOD, (Class<?>[])null); // If we succeeded, we have loaded interfaces from a // level 3 DOM somewhere
--- a/src/com/sun/org/apache/xalan/internal/xslt/Process.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xslt/Process.java Mon Jun 03 15:27:00 2013 +0200 @@ -57,6 +57,7 @@ import com.sun.org.apache.xalan.internal.res.XSLTErrorResources; import com.sun.org.apache.xalan.internal.utils.ObjectFactory; import com.sun.org.apache.xalan.internal.utils.ConfigurationError; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; //J2SE does not support Xalan interpretive /* @@ -180,7 +181,7 @@ java.io.PrintWriter diagnosticsWriter = new PrintWriter(System.err, true); java.io.PrintWriter dumpWriter = diagnosticsWriter; ResourceBundle resbundle = - (XSLMessages.loadResourceBundle( + (SecuritySupport.getResourceBundle( com.sun.org.apache.xml.internal.utils.res.XResourceBundle.ERROR_RESOURCES)); String flavor = "s2s";
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Import.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Import.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,18 +23,19 @@ package com.sun.org.apache.xalan.internal.xsltc.compiler; -import java.io.File; -import java.net.URL; -import java.net.MalformedURLException; -import java.util.Enumeration; - -import com.sun.org.apache.xml.internal.utils.SystemIDResolver; +import com.sun.org.apache.xalan.internal.XalanConstants; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ClassGenerator; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.MethodGenerator; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Type; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.TypeCheckError; - +import com.sun.org.apache.xml.internal.utils.SystemIDResolver; +import java.io.File; +import java.net.URL; +import java.net.MalformedURLException; +import java.util.Enumeration; +import javax.xml.XMLConstants; import org.xml.sax.InputSource; import org.xml.sax.XMLReader; @@ -84,6 +85,17 @@ // No SourceLoader or not resolved by SourceLoader if (input == null) { docToLoad = SystemIDResolver.getAbsoluteURI(docToLoad, currLoadedDoc); + String accessError = SecuritySupport.checkAccess(docToLoad, + xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET), + XalanConstants.ACCESS_EXTERNAL_ALL); + + if (accessError != null) { + final ErrorMsg msg = new ErrorMsg(ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + SecuritySupport.sanitizePath(docToLoad), accessError, + this); + parser.reportError(Constants.FATAL, msg); + return; + } input = new InputSource(docToLoad); }
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Include.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Include.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,19 +23,20 @@ package com.sun.org.apache.xalan.internal.xsltc.compiler; +import com.sun.org.apache.xalan.internal.XalanConstants; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; +import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ClassGenerator; +import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg; +import com.sun.org.apache.xalan.internal.xsltc.compiler.util.MethodGenerator; +import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Type; +import com.sun.org.apache.xalan.internal.xsltc.compiler.util.TypeCheckError; +import com.sun.org.apache.xml.internal.utils.SystemIDResolver; import java.io.File; import java.io.FileNotFoundException; import java.net.MalformedURLException; import java.net.URL; import java.util.Enumeration; - -import com.sun.org.apache.xml.internal.utils.SystemIDResolver; -import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ClassGenerator; -import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg; -import com.sun.org.apache.xalan.internal.xsltc.compiler.util.MethodGenerator; -import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Type; -import com.sun.org.apache.xalan.internal.xsltc.compiler.util.TypeCheckError; - +import javax.xml.XMLConstants; import org.xml.sax.InputSource; import org.xml.sax.XMLReader; @@ -85,6 +86,17 @@ // No SourceLoader or not resolved by SourceLoader if (input == null) { docToLoad = SystemIDResolver.getAbsoluteURI(docToLoad, currLoadedDoc); + String accessError = SecuritySupport.checkAccess(docToLoad, + xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET), + XalanConstants.ACCESS_EXTERNAL_ALL); + + if (accessError != null) { + final ErrorMsg msg = new ErrorMsg(ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + SecuritySupport.sanitizePath(docToLoad), accessError, + this); + parser.reportError(Constants.FATAL, msg); + return; + } input = new InputSource(docToLoad); }
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Parser.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Parser.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,6 +23,16 @@ package com.sun.org.apache.xalan.internal.xsltc.compiler; +import com.sun.java_cup.internal.runtime.Symbol; +import com.sun.org.apache.xalan.internal.XalanConstants; +import com.sun.org.apache.xalan.internal.utils.FactoryImpl; +import com.sun.org.apache.xalan.internal.utils.ObjectFactory; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; +import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg; +import com.sun.org.apache.xalan.internal.xsltc.compiler.util.MethodType; +import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Type; +import com.sun.org.apache.xalan.internal.xsltc.compiler.util.TypeCheckError; +import com.sun.org.apache.xml.internal.serializer.utils.SystemIDResolver; import java.io.File; import java.io.IOException; import java.io.StringReader; @@ -33,27 +43,18 @@ import java.util.Stack; import java.util.StringTokenizer; import java.util.Vector; - -import com.sun.java_cup.internal.runtime.Symbol; import javax.xml.XMLConstants; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; - -import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg; -import com.sun.org.apache.xalan.internal.xsltc.compiler.util.MethodType; -import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Type; -import com.sun.org.apache.xalan.internal.xsltc.compiler.util.TypeCheckError; -import com.sun.org.apache.xalan.internal.utils.FactoryImpl; -import com.sun.org.apache.xalan.internal.utils.ObjectFactory; import org.xml.sax.Attributes; -import org.xml.sax.helpers.AttributesImpl; import org.xml.sax.ContentHandler; import org.xml.sax.InputSource; import org.xml.sax.Locator; import org.xml.sax.SAXException; import org.xml.sax.SAXParseException; import org.xml.sax.XMLReader; +import org.xml.sax.helpers.AttributesImpl; /** * @author Jacek Ambroziak @@ -410,7 +411,7 @@ } } catch (TypeCheckError e) { - reportError(ERROR, new ErrorMsg(e)); + reportError(ERROR, new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR, e)); } } @@ -430,7 +431,7 @@ } catch (IOException e) { if (_xsltc.debug()) e.printStackTrace(); - reportError(ERROR,new ErrorMsg(e)); + reportError(ERROR,new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR, e)); } catch (SAXException e) { Throwable ex = e.getException(); @@ -438,15 +439,15 @@ e.printStackTrace(); if (ex != null) ex.printStackTrace(); } - reportError(ERROR, new ErrorMsg(e)); + reportError(ERROR, new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR, e)); } catch (CompilerException e) { if (_xsltc.debug()) e.printStackTrace(); - reportError(ERROR, new ErrorMsg(e)); + reportError(ERROR, new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR, e)); } catch (Exception e) { if (_xsltc.debug()) e.printStackTrace(); - reportError(ERROR, new ErrorMsg(e)); + reportError(ERROR, new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR, e)); } return null; } @@ -475,6 +476,8 @@ factory.setNamespaceAware(true); } final SAXParser parser = factory.newSAXParser(); + parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, + _xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD)); final XMLReader reader = parser.getXMLReader(); return(parse(reader, input)); } @@ -547,6 +550,25 @@ return(element); } else { + try { + String path = _target; + if (path.indexOf(":")==-1) { + path = "file:" + path; + } + path = SystemIDResolver.getAbsoluteURI(path); + String accessError = SecuritySupport.checkAccess(path, + _xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET), + XalanConstants.ACCESS_EXTERNAL_ALL); + if (accessError != null) { + ErrorMsg msg = new ErrorMsg(ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + SecuritySupport.sanitizePath(_target), accessError, + root); + throw new CompilerException(msg.toString()); + } + } catch (IOException ex) { + throw new CompilerException(ex); + } + return(loadExternalStylesheet(_target)); } }
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/XSLTC.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/XSLTC.java Mon Jun 03 15:27:00 2013 +0200 @@ -39,12 +39,16 @@ import java.util.jar.JarEntry; import java.util.jar.JarOutputStream; import java.util.jar.Manifest; +import javax.xml.XMLConstants; import com.sun.org.apache.bcel.internal.classfile.JavaClass; +import com.sun.org.apache.xalan.internal.XalanConstants; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg; import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Util; import com.sun.org.apache.xml.internal.dtm.DTM; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import org.xml.sax.InputSource; import org.xml.sax.XMLReader; @@ -134,6 +138,16 @@ private boolean _useServicesMechanism = true; /** + * protocols allowed for external references set by the stylesheet processing instruction, Import and Include element. + */ + private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT; + /** + * protocols allowed for external DTD references in source file and/or stylesheet. + */ + private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT; + + + /** * XSLTC compiler constructor */ public XSLTC(boolean useServicesMechanism) { @@ -168,6 +182,31 @@ } /** + * Return allowed protocols for accessing external stylesheet. + */ + public String getProperty(String name) { + if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) { + return _accessExternalStylesheet; + } + else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) { + return _accessExternalDTD; + } + return null; + } + + /** + * Set allowed protocols for accessing external stylesheet. + */ + public void setProperty(String name, String value) { + if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) { + _accessExternalStylesheet = (String)value; + } + else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) { + _accessExternalDTD = (String)value; + } + } + + /** * Only for user by the internal TrAX implementation. */ public Parser getParser() { @@ -278,7 +317,7 @@ return compile(input, _className); } catch (IOException e) { - _parser.reportError(Constants.FATAL, new ErrorMsg(e)); + _parser.reportError(Constants.FATAL, new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR, e)); return false; } } @@ -297,7 +336,7 @@ return compile(input, name); } catch (IOException e) { - _parser.reportError(Constants.FATAL, new ErrorMsg(e)); + _parser.reportError(Constants.FATAL, new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR, e)); return false; } } @@ -382,11 +421,11 @@ } catch (Exception e) { /*if (_debug)*/ e.printStackTrace(); - _parser.reportError(Constants.FATAL, new ErrorMsg(e)); + _parser.reportError(Constants.FATAL, new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR, e)); } catch (Error e) { if (_debug) e.printStackTrace(); - _parser.reportError(Constants.FATAL, new ErrorMsg(e)); + _parser.reportError(Constants.FATAL, new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR, e)); } finally { _reader = null; // reset this here to be sure it is not re-used @@ -594,7 +633,7 @@ */ public boolean setDestDirectory(String dstDirName) { final File dir = new File(dstDirName); - if (dir.exists() || dir.mkdirs()) { + if (SecuritySupport.getFileExists(dir) || dir.mkdirs()) { _destDir = dir; return true; } @@ -767,7 +806,7 @@ String parentDir = outFile.getParent(); if (parentDir != null) { File parentFile = new File(parentDir); - if (!parentFile.exists()) + if (!SecuritySupport.getFileExists(parentFile)) parentFile.mkdirs(); } }
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages.java Mon Jun 03 15:27:00 2013 +0200 @@ -446,6 +446,12 @@ "Could not find stylesheet target ''{0}''."}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality. @@ -997,7 +1003,12 @@ "kilobytes. This is usually caused by templates in a stylesheet " + "that are very large. Try restructuring your stylesheet to use " + "smaller templates." - } + }, + + {ErrorMsg.DESERIALIZE_TRANSLET_ERR, "When Java security is enabled, " + + "support for deserializing TemplatesImpl is disabled." + + "This can be overridden by setting the jdk.xml.enableTemplatesImplDeserialization" + + " system property to true."} };
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_ca.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_ca.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "No s''ha trobat la destinaci\u00f3 ''{0}'' del full d''estils."}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_cs.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_cs.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "Nelze naj\u00edt c\u00edlovou p\u0159edlohu se stylem ''{0}''."}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_de.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_de.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "Stylesheet-Ziel \"{0}\" konnte nicht gefunden werden."}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_es.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_es.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "No se ha encontrado el destino de hoja de estilo ''{0}''."}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_fr.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_fr.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "Cible de feuille de style ''{0}'' introuvable."}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_it.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_it.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "Impossibile trovare la destinazione ''{0}'' del foglio di stile."}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_ja.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_ja.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "\u30B9\u30BF\u30A4\u30EB\u30B7\u30FC\u30C8\u30FB\u30BF\u30FC\u30B2\u30C3\u30C8''{0}''\u304C\u898B\u3064\u304B\u308A\u307E\u305B\u3093\u3067\u3057\u305F\u3002"}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_ko.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_ko.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "\uC2A4\uD0C0\uC77C\uC2DC\uD2B8 \uB300\uC0C1 ''{0}''\uC744(\uB97C) \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4."}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_pt_BR.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_pt_BR.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "N\u00E3o foi poss\u00EDvel localizar o alvo da folha de estilos ''{0}''."}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_sk.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_sk.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "Nebolo mo\u017en\u00e9 n\u00e1js\u0165 cie\u013e \u0161t\u00fdlu dokumentu ''{0}''."}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_sv.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_sv.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "Hittade inte formatmallen ''{0}''."}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_zh_CN.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_zh_CN.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "\u627E\u4E0D\u5230\u6837\u5F0F\u8868\u76EE\u6807 ''{0}''\u3002"}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_zh_TW.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages_zh_TW.java Mon Jun 03 15:27:00 2013 +0200 @@ -444,6 +444,12 @@ "\u627E\u4E0D\u5230\u6A23\u5F0F\u8868\u76EE\u6A19 ''{0}''\u3002"}, /* + * Note to translators: access to the stylesheet target is denied + */ + {ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + "Could not read stylesheet target ''{0}'', because ''{1}'' access is not allowed."}, + + /* * Note to translators: This message represents an internal error in * condition in XSLTC. The substitution text is the class name in XSLTC * that is missing some functionality.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMsg.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMsg.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,6 +23,7 @@ package com.sun.org.apache.xalan.internal.xsltc.compiler.util; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.text.MessageFormat; import java.util.Locale; import java.util.ResourceBundle; @@ -46,6 +47,8 @@ Object[] _params = null; private boolean _isWarningError; + Throwable _cause; + // Compiler error messages public static final String MULTIPLE_STYLESHEET_ERR = "MULTIPLE_STYLESHEET_ERR"; public static final String TEMPLATE_REDEF_ERR = "TEMPLATE_REDEF_ERR"; @@ -92,6 +95,7 @@ public static final String UNSUPPORTED_EXT_ERR = "UNSUPPORTED_EXT_ERR"; public static final String MISSING_XSLT_URI_ERR = "MISSING_XSLT_URI_ERR"; public static final String MISSING_XSLT_TARGET_ERR = "MISSING_XSLT_TARGET_ERR"; + public static final String ACCESSING_XSLT_TARGET_ERR = "ACCESSING_XSLT_TARGET_ERR"; public static final String NOT_IMPLEMENTED_ERR = "NOT_IMPLEMENTED_ERR"; public static final String NOT_STYLESHEET_ERR = "NOT_STYLESHEET_ERR"; public static final String ELEMENT_PARSE_ERR = "ELEMENT_PARSE_ERR"; @@ -165,6 +169,8 @@ public static final String OUTLINE_ERR_METHOD_TOO_BIG = "OUTLINE_ERR_METHOD_TOO_BIG"; + public static final String DESERIALIZE_TRANSLET_ERR = "DESERIALIZE_TEMPLATES_ERR"; + // All error messages are localized and are stored in resource bundles. // This array and the following 4 strings are read from that bundle. private static ResourceBundle _bundle; @@ -175,7 +181,7 @@ public final static String RUNTIME_ERROR_KEY = "RUNTIME_ERROR_KEY"; static { - _bundle = ResourceBundle.getBundle( + _bundle = SecuritySupport.getResourceBundle( "com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMessages", Locale.getDefault()); } @@ -185,10 +191,11 @@ _line = 0; } - public ErrorMsg(Throwable e) { - _code = null; + public ErrorMsg(String code, Throwable e) { + _code = code; _message = e.getMessage(); _line = 0; + _cause = e; } public ErrorMsg(String message, int line) { @@ -240,6 +247,10 @@ _params[1] = param2; } + public Throwable getCause() { + return _cause; + } + private String getFileName(SyntaxTreeNode node) { Stylesheet stylesheet = node.getStylesheet(); if (stylesheet != null)
--- a/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/Util.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/compiler/util/Util.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,6 +26,7 @@ import java.util.StringTokenizer; import com.sun.org.apache.bcel.internal.generic.Type; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import com.sun.org.apache.xalan.internal.xsltc.compiler.Constants; import com.sun.org.apache.xml.internal.utils.XML11Char; @@ -37,7 +38,7 @@ private static char filesep; static { - String temp = System.getProperty("file.separator", "/"); + String temp = SecuritySupport.getSystemProperty("file.separator", "/"); filesep = temp.charAt(0); }
--- a/src/com/sun/org/apache/xalan/internal/xsltc/dom/LoadDocument.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/dom/LoadDocument.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,6 +23,7 @@ package com.sun.org.apache.xalan.internal.xsltc.dom; +import com.sun.org.apache.xalan.internal.XalanConstants; import java.io.FileNotFoundException; import javax.xml.transform.stream.StreamSource; @@ -31,8 +32,10 @@ import com.sun.org.apache.xalan.internal.xsltc.DOMCache; import com.sun.org.apache.xalan.internal.xsltc.DOMEnhancedForDTM; import com.sun.org.apache.xalan.internal.xsltc.TransletException; +import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg; import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import com.sun.org.apache.xml.internal.dtm.DTM; import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; import com.sun.org.apache.xml.internal.dtm.DTMManager; @@ -199,6 +202,13 @@ throw new TransletException(e); } } else { + String accessError = SecuritySupport.checkAccess(uri, translet.getAllowedProtocols(), XalanConstants.ACCESS_EXTERNAL_ALL); + if (accessError != null) { + ErrorMsg msg = new ErrorMsg(ErrorMsg.ACCESSING_XSLT_TARGET_ERR, + SecuritySupport.sanitizePath(uri), accessError); + throw new Exception(msg.toString()); + } + // Parse the input document and construct DOM object // Trust the DTMManager to pick the right parser and // set up the DOM correctly.
--- a/src/com/sun/org/apache/xalan/internal/xsltc/dom/NodeSortRecord.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/dom/NodeSortRecord.java Mon Jun 03 15:27:00 2013 +0200 @@ -33,6 +33,7 @@ import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import com.sun.org.apache.xml.internal.utils.StringComparable; import com.sun.org.apache.xalan.internal.utils.ObjectFactory; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; /** * Base class for sort records containing application specific sort keys @@ -112,7 +113,7 @@ try { // -- W. Eliot Kimber (eliot@isogen.com) colFactClassname = - System.getProperty("com.sun.org.apache.xalan.internal.xsltc.COLLATOR_FACTORY"); + SecuritySupport.getSystemProperty("com.sun.org.apache.xalan.internal.xsltc.COLLATOR_FACTORY"); } catch (SecurityException e) { // If we can't read the propery, just use default collator
--- a/src/com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTranslet.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/runtime/AbstractTranslet.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,6 +23,7 @@ package com.sun.org.apache.xalan.internal.xsltc.runtime; +import com.sun.org.apache.xalan.internal.XalanConstants; import com.sun.org.apache.xalan.internal.utils.FactoryImpl; import java.io.File; import java.io.FileOutputStream; @@ -110,6 +111,11 @@ private boolean _useServicesMechanism; + /** + * protocols allowed for external references set by the stylesheet processing instruction, Document() function, Import and Include element. + */ + private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT; + /************************************************************************ * Debugging ************************************************************************/ @@ -758,6 +764,20 @@ _useServicesMechanism = flag; } + /** + * Return allowed protocols for accessing external stylesheet. + */ + public String getAllowedProtocols() { + return _accessExternalStylesheet; + } + + /** + * Set allowed protocols for accessing external stylesheet. + */ + public void setAllowedProtocols(String protocols) { + _accessExternalStylesheet = protocols; + } + /************************************************************************ * DOMImplementation caching for basis library ************************************************************************/
--- a/src/com/sun/org/apache/xalan/internal/xsltc/runtime/BasisLibrary.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/runtime/BasisLibrary.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,6 +23,7 @@ package com.sun.org.apache.xalan.internal.xsltc.runtime; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.text.DecimalFormat; import java.text.DecimalFormatSymbols; import java.text.FieldPosition; @@ -1583,7 +1584,7 @@ static { String resource = "com.sun.org.apache.xalan.internal.xsltc.runtime.ErrorMessages"; - m_bundle = ResourceBundle.getBundle(resource); + m_bundle = SecuritySupport.getResourceBundle(resource); } /**
--- a/src/com/sun/org/apache/xalan/internal/xsltc/runtime/output/WriterOutputBuffer.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/runtime/output/WriterOutputBuffer.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,6 +23,7 @@ package com.sun.org.apache.xalan.internal.xsltc.runtime.output; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.io.BufferedWriter; import java.io.IOException; import java.io.Writer; @@ -36,7 +37,7 @@ static { // Set a larger buffer size for Solaris - final String osName = System.getProperty("os.name"); + final String osName = SecuritySupport.getSystemProperty("os.name"); if (osName.equalsIgnoreCase("solaris")) { BUFFER_SIZE = 32 * KB; }
--- a/src/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesHandlerImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesHandlerImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -99,6 +99,12 @@ if (tfactory.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) xsltc.setSecureProcessing(true); + xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, + (String)tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)); + xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, + (String)tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_DTD)); + + if ("true".equals(tfactory.getAttribute(TransformerFactoryImpl.ENABLE_INLINING))) xsltc.setTemplateInlining(true); else
--- a/src/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,6 +23,7 @@ package com.sun.org.apache.xalan.internal.xsltc.trax; +import com.sun.org.apache.xalan.internal.XalanConstants; import java.io.IOException; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; @@ -43,6 +44,7 @@ import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import com.sun.org.apache.xalan.internal.xsltc.runtime.Hashtable; import com.sun.org.apache.xalan.internal.utils.ObjectFactory; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; /** * @author Morten Jorgensen @@ -52,6 +54,8 @@ */ public final class TemplatesImpl implements Templates, Serializable { static final long serialVersionUID = 673094361519270707L; + public final static String DESERIALIZE_TRANSLET = "jdk.xml.enableTemplatesImplDeserialization"; + /** * Name of the superclass of all translets. This is needed to * determine which, among all classes comprising a translet, @@ -121,6 +125,11 @@ private boolean _useServicesMechanism; + /** + * protocols allowed for external references set by the stylesheet processing instruction, Import and Include element. + */ + private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT; + static final class TransletClassLoader extends ClassLoader { TransletClassLoader(ClassLoader parent) { super(parent); @@ -168,6 +177,7 @@ _indentNumber = indentNumber; _tfactory = tfactory; _useServicesMechanism = tfactory.useServicesMechnism(); + _accessExternalStylesheet = (String) tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET); } /** * Need for de-serialization, see readObject(). @@ -186,6 +196,15 @@ private void readObject(ObjectInputStream is) throws IOException, ClassNotFoundException { + SecurityManager security = System.getSecurityManager(); + if (security != null){ + String temp = SecuritySupport.getSystemProperty(DESERIALIZE_TRANSLET); + if (temp == null || !(temp.length()==0 || temp.equalsIgnoreCase("true"))) { + ErrorMsg err = new ErrorMsg(ErrorMsg.DESERIALIZE_TRANSLET_ERR); + throw new UnsupportedOperationException(err.toString()); + } + } + is.defaultReadObject(); if (is.readBoolean()) { _uriResolver = (URIResolver) is.readObject(); @@ -369,6 +388,7 @@ translet.postInitialization(); translet.setTemplates(this); translet.setServicesMechnism(_useServicesMechanism); + translet.setAllowedProtocols(_accessExternalStylesheet); if (_auxClasses != null) { translet.setAuxiliaryClasses(_auxClasses); }
--- a/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -73,7 +73,7 @@ import com.sun.org.apache.xalan.internal.xsltc.dom.XSLTCDTMManager; import com.sun.org.apache.xalan.internal.utils.ObjectFactory; import com.sun.org.apache.xalan.internal.utils.FactoryImpl; - +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import org.xml.sax.InputSource; import org.xml.sax.XMLFilter; @@ -225,6 +225,16 @@ private boolean _useServicesMechanism; /** + * protocols allowed for external references set by the stylesheet processing instruction, Import and Include element. + */ + private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT; + /** + * protocols allowed for external DTD references in source file and/or stylesheet. + */ + private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT; + + + /** * javax.xml.transform.sax.TransformerFactory implementation. */ public TransformerFactoryImpl() { @@ -238,10 +248,17 @@ private TransformerFactoryImpl(boolean useServicesMechanism) { this.m_DTMManagerClass = XSLTCDTMManager.getDTMManagerClass(useServicesMechanism); this._useServicesMechanism = useServicesMechanism; + + String defaultAccess = XalanConstants.EXTERNAL_ACCESS_DEFAULT; if (System.getSecurityManager() != null) { _isSecureMode = true; _isNotSecureProcessing = false; + defaultAccess = XalanConstants.getExternalAccessDefault(true); } + _accessExternalStylesheet = SecuritySupport.getDefaultAccessProperty( + XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET, defaultAccess); + _accessExternalDTD = SecuritySupport.getDefaultAccessProperty( + XalanConstants.SP_ACCESS_EXTERNAL_DTD, defaultAccess); } /** @@ -301,6 +318,12 @@ else return Boolean.FALSE; } + else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) { + return _accessExternalStylesheet; + } + else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) { + return _accessExternalDTD; + } // Throw an exception for all other attributes ErrorMsg err = new ErrorMsg(ErrorMsg.JAXP_INVALID_ATTR_ERR, name); @@ -401,6 +424,14 @@ return; } } + else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) { + _accessExternalStylesheet = (String)value; + return; + } + else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) { + _accessExternalDTD = (String)value; + return; + } // Throw an exception for all other attributes final ErrorMsg err @@ -444,7 +475,12 @@ throw new TransformerConfigurationException(err.toString()); } _isNotSecureProcessing = !value; - // all done processing feature + + // set restriction, allowing no access to external stylesheet + if (value) { + _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP; + _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP; + } return; } else if (name.equals(XalanConstants.ORACLE_FEATURE_SERVICE_MECHANISM)) { @@ -799,6 +835,8 @@ xsltc.setTemplateInlining(false); if (!_isNotSecureProcessing) xsltc.setSecureProcessing(true); + xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, _accessExternalStylesheet); + xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD); xsltc.init(); // Set a document loader (for xsl:include/import) if defined @@ -880,9 +918,20 @@ // Check that the transformation went well before returning if (bytecodes == null) { - - ErrorMsg err = new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR); - TransformerConfigurationException exc = new TransformerConfigurationException(err.toString()); + Vector errs = xsltc.getErrors(); + ErrorMsg err = null; + if (errs != null) { + err = (ErrorMsg)errs.elementAt(errs.size()-1); + } else { + err = new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR); + } + Throwable cause = err.getCause(); + TransformerConfigurationException exc; + if (cause != null) { + exc = new TransformerConfigurationException(cause.getMessage(), cause); + } else { + exc = new TransformerConfigurationException(err.toString()); + } // Pass compiler errors to the error listener if (_errorListener != null) { @@ -1229,7 +1278,7 @@ // Find the parent directory of the translet. String transletParentDir = transletFile.getParent(); if (transletParentDir == null) - transletParentDir = System.getProperty("user.dir"); + transletParentDir = SecuritySupport.getSystemProperty("user.dir"); File transletParentFile = new File(transletParentDir);
--- a/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,6 +23,7 @@ package com.sun.org.apache.xalan.internal.xsltc.trax; +import com.sun.org.apache.xalan.internal.XalanConstants; import com.sun.org.apache.xalan.internal.utils.FactoryImpl; import java.io.File; import java.io.FileOutputStream; @@ -61,6 +62,7 @@ import javax.xml.transform.stax.StAXSource; import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamSource; +import javax.xml.XMLConstants; import com.sun.org.apache.xml.internal.utils.SystemIDResolver; @@ -207,6 +209,14 @@ * Note the default value (false) is the safe option.. */ private boolean _useServicesMechanism; + /** + * protocols allowed for external references set by the stylesheet processing instruction, Import and Include element. + */ + private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT; + /** + * protocols allowed for external DTD references in source file and/or stylesheet. + */ + private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT; /** * A hashtable to store parameters for the identity transform. These @@ -260,7 +270,10 @@ _indentNumber = indentNumber; _tfactory = tfactory; _useServicesMechanism = _tfactory.useServicesMechnism(); + _accessExternalStylesheet = (String)_tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET); + _accessExternalDTD = (String)_tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_DTD); _readerManager = XMLReaderManager.getInstance(_useServicesMechanism); + _readerManager.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD); //_isIncremental = tfactory._incremental; }
--- a/src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java Mon Jun 03 15:27:00 2013 +0200 @@ -105,6 +105,8 @@ if (reader == null) { try { reader= XMLReaderFactory.createXMLReader(); + reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, + xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD)); } catch (Exception e ) { try {
--- a/src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -20,18 +20,6 @@ package com.sun.org.apache.xerces.internal.dom; -import java.io.IOException; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.Locale; -import java.util.Vector; - -import com.sun.org.apache.xerces.internal.util.PropertyState; -import com.sun.org.apache.xerces.internal.util.Status; -import org.w3c.dom.DOMConfiguration; -import org.w3c.dom.DOMErrorHandler; -import org.w3c.dom.DOMStringList; - import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.impl.XMLEntityManager; import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter; @@ -42,7 +30,10 @@ import com.sun.org.apache.xerces.internal.util.DOMErrorHandlerWrapper; import com.sun.org.apache.xerces.internal.util.MessageFormatter; import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings; +import com.sun.org.apache.xerces.internal.util.PropertyState; import com.sun.org.apache.xerces.internal.util.SymbolTable; +import com.sun.org.apache.xerces.internal.utils.ObjectFactory; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler; import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler; import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler; @@ -55,12 +46,19 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLErrorHandler; import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource; import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration; -import com.sun.org.apache.xerces.internal.utils.ObjectFactory; +import java.io.IOException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Locale; +import java.util.Vector; +import javax.xml.XMLConstants; +import org.w3c.dom.DOMConfiguration; +import org.w3c.dom.DOMErrorHandler; import org.w3c.dom.DOMException; +import org.w3c.dom.DOMStringList; import org.w3c.dom.ls.LSResourceResolver; - /** * Xerces implementation of DOMConfiguration that maintains a table of recognized parameters. * @@ -158,6 +156,14 @@ protected static final String SCHEMA_DV_FACTORY = Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY; + /** Property identifier: access to external dtd */ + protected static final String ACCESS_EXTERNAL_DTD = + XMLConstants.ACCESS_EXTERNAL_DTD; + + /** Property identifier: access to external schema */ + protected static final String ACCESS_EXTERNAL_SCHEMA = + XMLConstants.ACCESS_EXTERNAL_SCHEMA; + // // Data // @@ -276,7 +282,9 @@ JAXP_SCHEMA_SOURCE, JAXP_SCHEMA_LANGUAGE, DTD_VALIDATOR_FACTORY_PROPERTY, - SCHEMA_DV_FACTORY + SCHEMA_DV_FACTORY, + ACCESS_EXTERNAL_DTD, + ACCESS_EXTERNAL_SCHEMA }; addRecognizedProperties(recognizedProperties); @@ -310,6 +318,14 @@ fValidationManager = createValidationManager(); setProperty(VALIDATION_MANAGER, fValidationManager); + //For DOM, the secure feature is set to true by default + String accessExternal = SecuritySupport.getDefaultAccessProperty( + Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT); + setProperty(ACCESS_EXTERNAL_DTD, accessExternal); + + accessExternal = SecuritySupport.getDefaultAccessProperty( + Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT); + setProperty(ACCESS_EXTERNAL_SCHEMA, accessExternal); // add message formatters if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) {
--- a/src/com/sun/org/apache/xerces/internal/dom/DOMMessageFormatter.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/dom/DOMMessageFormatter.java Mon Jun 03 15:27:00 2013 +0200 @@ -20,10 +20,10 @@ package com.sun.org.apache.xerces.internal.dom; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.util.Locale; import java.util.MissingResourceException; import java.util.ResourceBundle; -import java.util.PropertyResourceBundle; /** * Used to format DOM error messages, using the system locale. @@ -31,6 +31,7 @@ * @xerces.internal * * @author Sandy Gao, IBM + * @version $Id: DOMMessageFormatter.java,v 1.6 2010-11-01 04:39:38 joehw Exp $ */ public class DOMMessageFormatter { public static final String DOM_DOMAIN = "http://www.w3.org/dom/DOMTR"; @@ -122,13 +123,13 @@ */ public static void init(){ if (locale != null) { - domResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.DOMMessages", locale); - serResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLSerializerMessages", locale); - xmlResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); + domResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.DOMMessages", locale); + serResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLSerializerMessages", locale); + xmlResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); }else{ - domResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.DOMMessages"); - serResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLSerializerMessages"); - xmlResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); + domResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.DOMMessages"); + serResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLSerializerMessages"); + xmlResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); } }
--- a/src/com/sun/org/apache/xerces/internal/impl/Constants.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/Constants.java Mon Jun 03 15:27:00 2013 +0200 @@ -20,6 +20,7 @@ package com.sun.org.apache.xerces.internal.impl; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.util.Enumeration; import java.util.NoSuchElementException; @@ -138,6 +139,21 @@ public static final String FEATURE_SECURE_PROCESSING = "http://javax.xml.XMLConstants/feature/secure-processing"; + // Oracle Feature: + /** + * <p>Use Service Mechanism</p> + * + * <ul> + * <li> + * {@code true} instruct an object to use service mechanism to + * find a service implementation. This is the default behavior. + * </li> + * <li> + * {@code false} instruct an object to skip service mechanism and + * use the default implementation for that service. + * </li> + * </ul> + */ public static final String ORACLE_FEATURE_SERVICE_MECHANISM = "http://www.oracle.com/feature/use-service-mechanism"; /** Document XML version property ("document-xml-version"). */ @@ -160,6 +176,34 @@ public static final String SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ; + /** JAXP Standard property prefix ("http://javax.xml.XMLConstants/property/"). */ + public static final String JAXPAPI_PROPERTY_PREFIX = + "http://javax.xml.XMLConstants/property/"; + + /** Oracle JAXP property prefix ("http://www.oracle.com/xml/jaxp/properties/"). */ + public static final String ORACLE_JAXP_PROPERTY_PREFIX = + "http://www.oracle.com/xml/jaxp/properties/"; + + //System Properties corresponding to ACCESS_EXTERNAL_* properties + public static final String SP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD"; + public static final String SP_ACCESS_EXTERNAL_SCHEMA = "javax.xml.accessExternalSchema"; + //all access keyword + public static final String ACCESS_EXTERNAL_ALL = "all"; + + /** + * Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true + */ + public static final String EXTERNAL_ACCESS_DEFAULT_FSP = ""; + /** + * JDK version by which the default is to restrict external connection + */ + public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8; + + /** + * FEATURE_SECURE_PROCESSING (FSP) is true by default + */ + public static final String EXTERNAL_ACCESS_DEFAULT = getExternalAccessDefault(true); + // // DOM features // @@ -653,6 +697,59 @@ ? new ArrayEnumeration(fgXercesProperties) : fgEmptyEnumeration; } // getXercesProperties():Enumeration + /** + * Determine the default value of the external access properties + * + * jaxp 1.5 does not require implementations to restrict by default + * + * For JDK8: + * The default value is 'file' (including jar:file); The keyword "all" grants permission + * to all protocols. When {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is on, + * the default value is an empty string indicating no access is allowed. + * + * For JDK7: + * The default value is 'all' granting permission to all protocols. If by default, + * {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is true, it should + * not change the default value. However, if {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} + * is set explicitly, the values of the properties shall be set to an empty string + * indicating no access is allowed. + * + * @param isSecureProcessing indicating if Secure Processing is set + * @return default value + */ + public static String getExternalAccessDefault(boolean isSecureProcessing) { + String defaultValue = "all"; + if (isJDKandAbove(RESTRICT_BY_DEFAULT_JDK_VERSION)) { + defaultValue = "file"; + if (isSecureProcessing) { + defaultValue = EXTERNAL_ACCESS_DEFAULT_FSP; + } + } + return defaultValue; + } + + /* + * Check the version of the current JDK against that specified in the + * parameter + * + * There is a proposal to change the java version string to: + * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL + * This method would work with both the current format and that proposed + * + * @param compareTo a JDK version to be compared to + * @return true if the current version is the same or above that represented + * by the parameter + */ + public static boolean isJDKandAbove(int compareTo) { + String javaVersion = SecuritySupport.getSystemProperty("java.version"); + String versions[] = javaVersion.split("\\.", 3); + if (Integer.parseInt(versions[0]) >= compareTo || + Integer.parseInt(versions[1]) >= compareTo) { + return true; + } + return false; + } + // // Classes //
--- a/src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java Mon Jun 03 15:27:00 2013 +0200 @@ -25,13 +25,14 @@ package com.sun.org.apache.xerces.internal.impl; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.xml.internal.stream.StaxEntityResolverWrapper; import java.util.HashMap; +import javax.xml.XMLConstants; import javax.xml.stream.XMLInputFactory; import javax.xml.stream.XMLOutputFactory; import javax.xml.stream.XMLResolver; -import com.sun.xml.internal.stream.StaxEntityResolverWrapper; - /** * This class manages different properties related to Stax specification and its implementation. * This class constructor also takes itself (PropertyManager object) as parameter and initializes the @@ -51,6 +52,12 @@ private static final String STRING_INTERNING = "http://xml.org/sax/features/string-interning"; + /** Property identifier: access to external dtd */ + protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** Property identifier: access to external schema */ + protected static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; + HashMap supportedProps = new HashMap(); public static final int CONTEXT_READER = 1; @@ -117,6 +124,15 @@ supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_DUPLICATE_ATTDEF_FEATURE, new Boolean(false)); supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_DUPLICATE_ENTITYDEF_FEATURE, new Boolean(false)); supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_UNDECLARED_ELEMDEF_FEATURE, new Boolean(false)); + + //For DOM/SAX, the secure feature is set to true by default + String accessExternal = SecuritySupport.getDefaultAccessProperty( + Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT); + supportedProps.put(ACCESS_EXTERNAL_DTD, accessExternal); + + accessExternal = SecuritySupport.getDefaultAccessProperty( + Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT); + supportedProps.put(ACCESS_EXTERNAL_SCHEMA, accessExternal); } private void initWriterProps(){
--- a/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -52,7 +52,10 @@ import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler; import com.sun.org.apache.xerces.internal.util.SecurityManager; import com.sun.org.apache.xerces.internal.util.NamespaceSupport; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import com.sun.org.apache.xerces.internal.xni.NamespaceContext; +import com.sun.xml.internal.stream.Entity; +import javax.xml.XMLConstants; import javax.xml.stream.XMLStreamConstants; import javax.xml.stream.events.XMLEvent; @@ -159,6 +162,18 @@ protected static final String ENTITY_RESOLVER = Constants.XERCES_PROPERTY_PREFIX + Constants.ENTITY_RESOLVER_PROPERTY; + /** Feature identifier: standard uri conformant */ + protected static final String STANDARD_URI_CONFORMANT = + Constants.XERCES_FEATURE_PREFIX +Constants.STANDARD_URI_CONFORMANT_FEATURE; + + /** property identifier: access external dtd. */ + protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** access external dtd: file protocol + * For DOM/SAX, the secure feature is set to true by default + */ + final static String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT; + // recognized features and properties /** Recognized features. */ @@ -184,6 +199,7 @@ SYMBOL_TABLE, ERROR_REPORTER, ENTITY_MANAGER, + ACCESS_EXTERNAL_DTD }; /** Property defaults. */ @@ -191,6 +207,7 @@ null, null, null, + EXTERNAL_ACCESS_DEFAULT }; private static final char [] cdata = {'[','C','D','A','T','A','['}; @@ -297,6 +314,17 @@ protected String fDeclaredEncoding = null; /** Xerces Feature: Disallow doctype declaration. */ protected boolean fDisallowDoctype = false; + /** + * comma-delimited list of protocols that are allowed for the purpose + * of accessing external dtd or entity references + */ + protected String fAccessExternalDTD = EXTERNAL_ACCESS_DEFAULT; + + /** + * standard uri conformant (strict uri). + * http://apache.org/xml/features/standard-uri-conformant + */ + protected boolean fStrictURI; // drivers @@ -413,17 +441,6 @@ * * @return True if there is more to scan, false otherwise. */ - /* public boolean scanDocument(boolean complete) - throws IOException, XNIException { - - // keep dispatching "events" - fEntityManager.setEntityHandler(this); - - return true; - - } // scanDocument(boolean):boolean - */ - public boolean scanDocument(boolean complete) throws IOException, XNIException { @@ -579,6 +596,9 @@ //xxx: external entities are supported in Xerces // it would be good to define feature for this case fSupportExternalEntities = true; + fSupportExternalEntities = true; + fSupportExternalEntities = true; + fSupportExternalEntities = true; fReplaceEntityReferences = true; fIsCoalesce = false; @@ -589,6 +609,9 @@ dtdGrammarUtil = null; + // JAXP 1.5 features and properties + fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT); + fStrictURI = componentManager.getFeature(STANDARD_URI_CONFORMANT, false); //fEntityManager.test(); } // reset(XMLComponentManager) @@ -639,6 +662,9 @@ dtdGrammarUtil = null; + // Oracle jdk feature + fAccessExternalDTD = (String) propertyManager.getProperty(ACCESS_EXTERNAL_DTD); + } // reset(XMLComponentManager) /** @@ -735,6 +761,14 @@ return; } + //JAXP 1.5 properties + if (propertyId.startsWith(Constants.JAXPAPI_PROPERTY_PREFIX)) { + if (propertyId.equals(ACCESS_EXTERNAL_DTD)) + { + fAccessExternalDTD = (String)value; + } + } + } // setProperty(String,Object) /** @@ -1846,7 +1880,8 @@ //1. if the entity is external and support to external entities is not required // 2. or entities should not be replaced //3. or if it is built in entity reference. - if((fEntityStore.isExternalEntity(name) && !fSupportExternalEntities) || (!fEntityStore.isExternalEntity(name) && !fReplaceEntityReferences) || foundBuiltInRefs){ + boolean isEE = fEntityStore.isExternalEntity(name); + if((isEE && !fSupportExternalEntities) || (!isEE && !fReplaceEntityReferences) || foundBuiltInRefs){ fScannerState = SCANNER_STATE_REFERENCE; return ; } @@ -1996,6 +2031,12 @@ } // getDriverName():String + String checkAccess(String systemId, String allowedProtocols) throws IOException { + String baseSystemId = fEntityScanner.getBaseSystemId(); + String expandedSystemId = fEntityManager.expandSystemId(systemId, baseSystemId,fStrictURI); + return SecuritySupport.checkAccess(expandedSystemId, allowedProtocols, Constants.ACCESS_EXTERNAL_ALL); + } + // // Classes //
--- a/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentScannerImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentScannerImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -21,6 +21,22 @@ package com.sun.org.apache.xerces.internal.impl; +import com.sun.org.apache.xerces.internal.impl.dtd.XMLDTDDescription; +import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager; +import com.sun.org.apache.xerces.internal.util.NamespaceSupport; +import com.sun.org.apache.xerces.internal.util.XMLChar; +import com.sun.org.apache.xerces.internal.util.XMLResourceIdentifierImpl; +import com.sun.org.apache.xerces.internal.util.XMLStringBuffer; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.xni.Augmentations; +import com.sun.org.apache.xerces.internal.xni.NamespaceContext; +import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier; +import com.sun.org.apache.xerces.internal.xni.XMLString; +import com.sun.org.apache.xerces.internal.xni.XNIException; +import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager; +import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException; +import com.sun.org.apache.xerces.internal.xni.parser.XMLDTDScanner; +import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource; import com.sun.xml.internal.stream.Entity; import com.sun.xml.internal.stream.StaxXMLInputSource; import com.sun.xml.internal.stream.dtd.DTDGrammarUtil; @@ -29,23 +45,6 @@ import javax.xml.stream.XMLInputFactory; import javax.xml.stream.events.XMLEvent; -import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager; -import com.sun.org.apache.xerces.internal.util.NamespaceSupport; -import com.sun.org.apache.xerces.internal.util.XMLChar; -import com.sun.org.apache.xerces.internal.util.XMLResourceIdentifierImpl; -import com.sun.org.apache.xerces.internal.util.XMLStringBuffer; -import com.sun.org.apache.xerces.internal.xni.NamespaceContext; -import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier; -import com.sun.org.apache.xerces.internal.xni.XMLString; -import com.sun.org.apache.xerces.internal.xni.XNIException; -import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource; -import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager; -import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException; -import com.sun.org.apache.xerces.internal.xni.parser.XMLDTDScanner; -import com.sun.org.apache.xerces.internal.xni.Augmentations; -import com.sun.org.apache.xerces.internal.impl.dtd.XMLDTDDescription; -import com.sun.org.apache.xerces.internal.xni.parser.XMLDocumentScanner; - /** * This class is responsible for scanning XML document structure @@ -148,7 +147,7 @@ /** Property defaults. */ private static final Object[] PROPERTY_DEFAULTS = { - null, + null, null }; @@ -920,7 +919,6 @@ reportFatalError("DoctypeNotAllowed", null); } - if (fSeenDoctypeDecl) { reportFatalError("AlreadySeenDoctype", null); } @@ -952,15 +950,18 @@ if (fDoctypeSystemId != null) { if (((fValidation || fLoadExternalDTD) && (fValidationManager == null || !fValidationManager.isCachedDTD()))) { - if (fSupportDTD) - setScannerState(SCANNER_STATE_DTD_EXTERNAL); - else - setScannerState(SCANNER_STATE_PROLOG); - setDriver(fContentDriver); - if(fDTDDriver == null) - fDTDDriver = new DTDDriver(); - return fDTDDriver.next(); + if (fSupportDTD) { + setScannerState(SCANNER_STATE_DTD_EXTERNAL); + } else { + setScannerState(SCANNER_STATE_PROLOG); + } + setDriver(fContentDriver); + if(fDTDDriver == null) { + fDTDDriver = new DTDDriver(); + } + + return fDTDDriver.next(); } } else if (fExternalSubsetSource != null) { @@ -1149,9 +1150,21 @@ resourceIdentifier.setValues(fDoctypePublicId, fDoctypeSystemId, null, null); XMLInputSource xmlInputSource = null ; StaxXMLInputSource staxInputSource = fEntityManager.resolveEntityAsPerStax(resourceIdentifier); + + // Check access permission. If the source is resolved by a resolver, the check is skipped. + if (!staxInputSource.hasResolver()) { + String accessError = checkAccess(fDoctypeSystemId, fAccessExternalDTD); + if (accessError != null) { + reportFatalError("AccessExternalDTD", new Object[]{ SecuritySupport.sanitizePath(fDoctypeSystemId), accessError }); + } + } xmlInputSource = staxInputSource.getXMLInputSource(); fDTDScanner.setInputSource(xmlInputSource); - setScannerState(SCANNER_STATE_DTD_EXTERNAL_DECLS); + if (fEntityScanner.fCurrentEntity != null) { + setScannerState(SCANNER_STATE_DTD_EXTERNAL_DECLS); + } else { + setScannerState(SCANNER_STATE_PROLOG); + } again = true; break; }
--- a/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java Mon Jun 03 15:27:00 2013 +0200 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2006, 2013 Oracle and/or its affiliates. All rights reserved. */ /* @@ -20,50 +20,37 @@ package com.sun.org.apache.xerces.internal.impl ; +import com.sun.org.apache.xerces.internal.impl.Constants; +import com.sun.org.apache.xerces.internal.impl.io.ASCIIReader; +import com.sun.org.apache.xerces.internal.impl.io.UCSReader; +import com.sun.org.apache.xerces.internal.impl.io.UTF8Reader; +import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter; +import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler; +import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager; +import com.sun.org.apache.xerces.internal.util.*; +import com.sun.org.apache.xerces.internal.util.SecurityManager; +import com.sun.org.apache.xerces.internal.util.URI; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; +import com.sun.org.apache.xerces.internal.xni.Augmentations; +import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier; +import com.sun.org.apache.xerces.internal.xni.XNIException; +import com.sun.org.apache.xerces.internal.xni.parser.*; +import com.sun.xml.internal.stream.Entity; import com.sun.xml.internal.stream.StaxEntityResolverWrapper; import com.sun.xml.internal.stream.StaxXMLInputSource; import com.sun.xml.internal.stream.XMLEntityStorage; import java.io.*; -import java.io.BufferedReader; -import java.util.*; - -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.io.Reader; -import java.io.StringReader; import java.lang.reflect.Method; import java.net.HttpURLConnection; +import java.net.URISyntaxException; import java.net.URL; import java.net.URLConnection; -import java.net.URISyntaxException; import java.util.Hashtable; import java.util.Iterator; import java.util.Locale; import java.util.Map; import java.util.Stack; - - -import com.sun.org.apache.xerces.internal.impl.io.*; -import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter; -import com.sun.org.apache.xerces.internal.util.*; -import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier; -import com.sun.org.apache.xerces.internal.xni.XNIException; -import com.sun.org.apache.xerces.internal.xni.parser.*; -import com.sun.org.apache.xerces.internal.impl.Constants; -import com.sun.xml.internal.stream.Entity; -import com.sun.org.apache.xerces.internal.xni.Augmentations; - -import com.sun.org.apache.xerces.internal.impl.io.UTF8Reader; -import com.sun.org.apache.xerces.internal.impl.io.ASCIIReader; -import com.sun.org.apache.xerces.internal.impl.io.UCSReader; -import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler; -import com.sun.org.apache.xerces.internal.util.HTTPInputSource; -import com.sun.org.apache.xerces.internal.xinclude.XIncludeHandler; - -import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager; -import com.sun.org.apache.xerces.internal.util.SecurityManager; -import com.sun.org.apache.xerces.internal.util.URI; +import javax.xml.XMLConstants; /** @@ -139,6 +126,10 @@ protected static final String WARN_ON_DUPLICATE_ENTITYDEF = Constants.XERCES_FEATURE_PREFIX +Constants.WARN_ON_DUPLICATE_ENTITYDEF_FEATURE; + /** Feature identifier: load external DTD. */ + protected static final String LOAD_EXTERNAL_DTD = + Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE; + // property identifiers /** Property identifier: symbol table. */ @@ -172,8 +163,16 @@ protected static final String SECURITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; -protected static final String PARSER_SETTINGS = + protected static final String PARSER_SETTINGS = Constants.XERCES_FEATURE_PREFIX + Constants.PARSER_SETTINGS; + + /** property identifier: access external dtd. */ + protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** access external dtd: file protocol */ + static final String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT; + + // recognized features and properties /** Recognized features. */ @@ -204,7 +203,7 @@ VALIDATION_MANAGER, BUFFER_SIZE, SECURITY_MANAGER, - + ACCESS_EXTERNAL_DTD }; /** Property defaults. */ @@ -214,7 +213,8 @@ null, null, new Integer(DEFAULT_BUFFER_SIZE), - null + null, + EXTERNAL_ACCESS_DEFAULT }; private static final String XMLEntity = "[xml]".intern(); @@ -273,6 +273,8 @@ */ protected boolean fAllowJavaEncodings = true ; + /** Load external DTD. */ + protected boolean fLoadExternalDTD = true; // properties @@ -301,7 +303,8 @@ /** Property Manager. This is used from Stax */ protected PropertyManager fPropertyManager ; - + /** used to restrict external access */ + protected String fAccessExternalDTD = EXTERNAL_ACCESS_DEFAULT; // settings /** @@ -365,6 +368,9 @@ /** Current entity. */ protected Entity.ScannedEntity fCurrentEntity = null; + /** identify if the InputSource is created by a resolver */ + boolean fISCreatedByResolver = false; + // shared context protected XMLEntityStorage fEntityStorage ; @@ -964,18 +970,25 @@ System.out.println("BEFORE Calling resolveEntity") ; } + fISCreatedByResolver = false; //either of Stax or Xerces would be null if(fStaxEntityResolver != null){ staxInputSource = fStaxEntityResolver.resolveEntity(ri); + if(staxInputSource != null) { + fISCreatedByResolver = true; + } } if(fEntityResolver != null){ xmlInputSource = fEntityResolver.resolveEntity(ri); + if(xmlInputSource != null) { + fISCreatedByResolver = true; + } } if(xmlInputSource != null){ //wrap this XMLInputSource to StaxInputSource - staxInputSource = new StaxXMLInputSource(xmlInputSource); + staxInputSource = new StaxXMLInputSource(xmlInputSource, fISCreatedByResolver); } // do default resolution @@ -1107,7 +1120,13 @@ // should we skip external entities? boolean external = entity.isExternal(); + Entity.ExternalEntity externalEntity = null; + String extLitSysId = null, extBaseSysId = null, expandedSystemId = null; if (external) { + externalEntity = (Entity.ExternalEntity)entity; + extLitSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getLiteralSystemId() : null); + extBaseSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getBaseSystemId() : null); + expandedSystemId = expandSystemId(extLitSysId, extBaseSysId); boolean unparsed = entity.isUnparsed(); boolean parameter = entityName.startsWith("%"); boolean general = !parameter; @@ -1117,13 +1136,6 @@ if (fEntityHandler != null) { fResourceIdentifier.clear(); final String encoding = null; - Entity.ExternalEntity externalEntity = (Entity.ExternalEntity)entity; - //REVISIT: since we're storing expandedSystemId in the - // externalEntity, how could this have got here if it wasn't already - // expanded??? - neilg - String extLitSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getLiteralSystemId() : null); - String extBaseSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getBaseSystemId() : null); - String expandedSystemId = expandSystemId(extLitSysId, extBaseSysId); fResourceIdentifier.setValues( (externalEntity.entityLocation != null ? externalEntity.entityLocation.getPublicId() : null), extLitSysId, extBaseSysId, expandedSystemId); @@ -1161,11 +1173,6 @@ fResourceIdentifier.clear(); final String encoding = null; if (external) { - Entity.ExternalEntity externalEntity = (Entity.ExternalEntity)entity; - // REVISIT: for the same reason above... - String extLitSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getLiteralSystemId() : null); - String extBaseSysId = (externalEntity.entityLocation != null ? externalEntity.entityLocation.getBaseSystemId() : null); - String expandedSystemId = expandSystemId(extLitSysId, extBaseSysId); fResourceIdentifier.setValues( (externalEntity.entityLocation != null ? externalEntity.entityLocation.getPublicId() : null), extLitSysId, extBaseSysId, expandedSystemId); @@ -1187,7 +1194,6 @@ XMLInputSource xmlInputSource = null ; if (external) { - Entity.ExternalEntity externalEntity = (Entity.ExternalEntity)entity; staxInputSource = resolveEntityAsPerStax(externalEntity.entityLocation); /** xxx: Waiting from the EG * //simply return if there was entity resolver registered and application @@ -1195,6 +1201,18 @@ * if(staxInputSource.hasXMLStreamOrXMLEventReader()) return ; */ xmlInputSource = staxInputSource.getXMLInputSource() ; + if (!fISCreatedByResolver) { + //let the not-LoadExternalDTD or not-SupportDTD process to handle the situation + if (fLoadExternalDTD) { + String accessError = SecuritySupport.checkAccess(expandedSystemId, fAccessExternalDTD, Constants.ACCESS_EXTERNAL_ALL); + if (accessError != null) { + fErrorReporter.reportError(this.getEntityScanner(),XMLMessageFormatter.XML_DOMAIN, + "AccessExternalEntity", + new Object[] { SecuritySupport.sanitizePath(expandedSystemId), accessError }, + XMLErrorReporter.SEVERITY_FATAL_ERROR); + } + } + } } // wrap internal entity else { @@ -1399,6 +1417,12 @@ fStaxEntityResolver = null; } + // Zephyr feature ignore-external-dtd is the opposite of Xerces' load-external-dtd + fLoadExternalDTD = !((Boolean)propertyManager.getProperty(Constants.ZEPHYR_PROPERTY_PREFIX + Constants.IGNORE_EXTERNAL_DTD)).booleanValue(); + + // JAXP 1.5 feature + fAccessExternalDTD = (String) propertyManager.getProperty(ACCESS_EXTERNAL_DTD); + // initialize state //fStandalone = false; fEntities.clear(); @@ -1408,8 +1432,6 @@ fExternalGeneralEntities = true; fExternalParameterEntities = true; fAllowJavaEncodings = true ; - - //test(); } /** @@ -1452,6 +1474,7 @@ fAllowJavaEncodings = componentManager.getFeature(ALLOW_JAVA_ENCODINGS, false); fWarnDuplicateEntityDef = componentManager.getFeature(WARN_ON_DUPLICATE_ENTITYDEF, false); fStrictURI = componentManager.getFeature(STANDARD_URI_CONFORMANT, false); + fLoadExternalDTD = componentManager.getFeature(LOAD_EXTERNAL_DTD, true); // xerces properties fSymbolTable = (SymbolTable)componentManager.getProperty(SYMBOL_TABLE); @@ -1461,6 +1484,9 @@ fValidationManager = (ValidationManager)componentManager.getProperty(VALIDATION_MANAGER, null); fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER, null); + // JAXP 1.5 feature + fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT); + //reset general state reset(); @@ -1553,6 +1579,11 @@ featureId.endsWith(Constants.ALLOW_JAVA_ENCODINGS_FEATURE)) { fAllowJavaEncodings = state; } + if (suffixLength == Constants.LOAD_EXTERNAL_DTD_FEATURE.length() && + featureId.endsWith(Constants.LOAD_EXTERNAL_DTD_FEATURE)) { + fLoadExternalDTD = state; + return; + } } } // setFeature(String,boolean) @@ -1609,7 +1640,15 @@ } } + //JAXP 1.5 properties + if (propertyId.startsWith(Constants.JAXPAPI_PROPERTY_PREFIX)) { + if (propertyId.equals(ACCESS_EXTERNAL_DTD)) + { + fAccessExternalDTD = (String)value; + } + } } + /** * Returns a list of property identifiers that are recognized by * this component. This method may return null if no properties @@ -1727,7 +1766,7 @@ // get the user.dir property String userDir = ""; try { - userDir = System.getProperty("user.dir"); + userDir = SecuritySupport.getSystemProperty("user.dir"); } catch (SecurityException se) { }
--- a/src/com/sun/org/apache/xerces/internal/impl/dv/DatatypeException.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/dv/DatatypeException.java Mon Jun 03 15:27:00 2013 +0200 @@ -20,6 +20,7 @@ package com.sun.org.apache.xerces.internal.impl.dv; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.util.ResourceBundle; import java.util.PropertyResourceBundle; import java.util.MissingResourceException; @@ -34,6 +35,7 @@ * * @author Sandy Gao, IBM * + * @version $Id: DatatypeException.java,v 1.6 2010-11-01 04:39:43 joehw Exp $ */ public class DatatypeException extends Exception { @@ -84,7 +86,7 @@ */ public String getMessage() { ResourceBundle resourceBundle = null; - resourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLSchemaMessages"); + resourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLSchemaMessages"); if (resourceBundle == null) throw new MissingResourceException("Property file not found!", "com.sun.org.apache.xerces.internal.impl.msg.XMLSchemaMessages", key);
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties Mon Jun 03 15:27:00 2013 +0200 @@ -11,7 +11,7 @@ HrefMissing = The 'href' attribute of an 'include' element is missing. RecursiveInclude = Recursive include detected. Document ''{0}'' was already processed. InvalidParseValue = Invalid value for ''parse'' attribute on ''include'' element: ''{0}''. -XMLParseError = Error attempting to parse XML file (href=''{0}''). +XMLParseError = Error attempting to parse XML file (href=''{0}''). Reason: {1} XMLResourceError = Include operation failed, reverting to fallback. Resource error reading file as XML (href=''{0}''). Reason: {1} TextResourceError = Include operation failed, reverting to fallback. Resource error reading file as text (href=''{0}''). Reason: {1} NO_XPointerSchema = Schema for \"{0}\" is not supported by default. Define your own schema for {0}.See http://apache.org/xml/properties/xpointer-schema
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_de.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_de.properties Mon Jun 03 15:27:00 2013 +0200 @@ -39,7 +39,7 @@ HrefMissing = "href"-Attribut eines "include"-Elements fehlt. RecursiveInclude = Rekursives "include" ermittelt. Dokument "{0}" wurde bereits verarbeitet. InvalidParseValue = Ung\u00FCltiger Wert f\u00FCr "parse"-Attribut bei "include"-Element: "{0}". -XMLParseError = Fehler beim Versuch, XML-Datei zu parsen (href="{0}"). +XMLParseError = Fehler beim Versuch, XML-Datei zu parsen (href="{0}"). Grund: {1} XMLResourceError = Include-Vorgang nicht erfolgreich. Zur\u00FCck zu Fallback. Ressourcenfehler beim Lesen der Datei als XML (href="{0}"). Grund: {1} TextResourceError = Include-Vorgang nicht erfolgreich. Zur\u00FCck zu Fallback. Ressourcenfehler beim Lesen der Datei als Text (href="{0}"). Grund: {1} NO_XPointerSchema = Schema f\u00FCr \"{0}\" wird standardm\u00E4\u00DFig nicht unterst\u00FCtzt. Definieren Sie Ihr eigenes Schema f\u00FCr {0}. Siehe http://apache.org/xml/properties/xpointer-schema
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_es.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_es.properties Mon Jun 03 15:27:00 2013 +0200 @@ -39,7 +39,7 @@ HrefMissing = Falta el atributo 'href' de un elemento 'include'. RecursiveInclude = Se ha detectado un elemento include recursivo. El documento ''{0}'' ya se ha procesado. InvalidParseValue = Valor no v\u00E1lido para el atributo ''parse'' en el elemento ''include'': ''{0}''. -XMLParseError = Error al intentar analizar el archivo XML (href=''{0}''). +XMLParseError = Error al intentar analizar el archivo XML (href=''{0}''). Motivo: {1} XMLResourceError = Fallo de la operaci\u00F3n include, conversi\u00F3n a fallback. Error del recurso al leer el archivo como XML (href=''{0}''). Motivo: {1} TextResourceError = Fallo de la operaci\u00F3n include, conversi\u00F3n a fallback. Error del recurso al leer el archivo como texto (href=''{0}''). Motivo: {1} NO_XPointerSchema = El esquema para \"{0}\" no est\u00E1 soportado por defecto. Defina su propio esquema para {0}. Consulte http://apache.org/xml/properties/xpointer-schema
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_fr.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_fr.properties Mon Jun 03 15:27:00 2013 +0200 @@ -39,7 +39,7 @@ HrefMissing = L'attribut 'href' d'un \u00E9l\u00E9ment 'include' est manquant. RecursiveInclude = El\u00E9ment "include" r\u00E9cursif d\u00E9tect\u00E9. Le document ''{0}'' a d\u00E9j\u00E0 \u00E9t\u00E9 trait\u00E9. InvalidParseValue = Valeur non valide pour l''attribut ''parse'' sur l''\u00E9l\u00E9ment ''include'' : ''{0}''. -XMLParseError = Erreur lors de la tentative d''analyse du fichier XML (href=''{0}''). +XMLParseError = Erreur lors de la tentative d''analyse du fichier XML (href=''{0}''). Raison : {1} XMLResourceError = Echec de l''op\u00E9ration Include, r\u00E9tablissement de l''\u00E9l\u00E9ment fallback. Erreur de ressource lors de la lecture du fichier en tant que XML (href=''{0}''). Raison : {1} TextResourceError = Echec de l''op\u00E9ration Include, r\u00E9tablissement de l''\u00E9l\u00E9ment fallback. Erreur de ressource lors de la lecture du fichier en tant que texte (href=''{0}''). Raison : {1} NO_XPointerSchema = Par d\u00E9faut, le sch\u00E9ma pour \"{0}\" n''est pas pris en charge. D\u00E9finissez votre propre sch\u00E9ma pour {0}. Reportez-vous \u00E0 l''adresse http://apache.org/xml/properties/xpointer-schema
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_it.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_it.properties Mon Jun 03 15:27:00 2013 +0200 @@ -39,7 +39,7 @@ HrefMissing = Manca l'attributo 'href' di un elemento 'include'. RecursiveInclude = Inclusione ricorsiva rilevata. Il documento ''{0}'' \u00E8 gi\u00E0 stato elaborato. InvalidParseValue = Valore non valido per l''attributo ''parse'' nell''elemento ''include'': ''{0}''. -XMLParseError = Errore nel tentativo di analizzare il file XML (href=''{0}''). +XMLParseError = Errore nel tentativo di analizzare il file XML (href=''{0}''). Motivo: {1} XMLResourceError = Operazione di inclusione non riuscita. Verr\u00E0 ripristinato il fallback. Errore di risorsa durante la lettura del file come XML (href=''{0}''). Motivo: {1} TextResourceError = Operazione di inclusione non riuscita. Verr\u00E0 ripristinato il fallback. Errore di risorsa durante la lettura del file come testo (href=''{0}''). Motivo: {1} NO_XPointerSchema = Lo schema per \"{0}\" non \u00E8 supportato per impostazione predefinita. Definire il proprio schema per {0}. Vedere http://apache.org/xml/properties/xpointer-schema.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_ja.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_ja.properties Mon Jun 03 15:27:00 2013 +0200 @@ -39,7 +39,7 @@ HrefMissing = 'include'\u8981\u7D20\u306E'href'\u5C5E\u6027\u304C\u3042\u308A\u307E\u305B\u3093\u3002 RecursiveInclude = \u518D\u5E30\u7684\u306Ainclude\u304C\u691C\u51FA\u3055\u308C\u307E\u3057\u305F\u3002\u30C9\u30AD\u30E5\u30E1\u30F3\u30C8''{0}''\u306F\u3059\u3067\u306B\u51E6\u7406\u3055\u308C\u3066\u3044\u307E\u3059\u3002 InvalidParseValue = ''include''\u8981\u7D20\u306E''parse''\u5C5E\u6027\u306E\u5024\u304C\u7121\u52B9\u3067\u3059: ''{0}''\u3002 -XMLParseError = XML\u30D5\u30A1\u30A4\u30EB\u306E\u89E3\u6790\u8A66\u884C\u4E2D\u306B\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F(href=''{0}'')\u3002 +XMLParseError = XML\u30D5\u30A1\u30A4\u30EB\u306E\u89E3\u6790\u8A66\u884C\u4E2D\u306B\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F(href=''{0}'')\u3002\u7406\u7531: {1} XMLResourceError = \u30A4\u30F3\u30AF\u30EB\u30FC\u30C9\u64CD\u4F5C\u304C\u5931\u6557\u3057\u3001\u30D5\u30A9\u30FC\u30EB\u30D0\u30C3\u30AF\u306B\u623B\u308A\u307E\u3059\u3002\u30D5\u30A1\u30A4\u30EB\u3092XML\u3068\u3057\u3066\u8AAD\u53D6\u308A\u4E2D\u306B\u30EA\u30BD\u30FC\u30B9\u30FB\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F(href=''{0}'')\u3002\u7406\u7531: {1} TextResourceError = \u30A4\u30F3\u30AF\u30EB\u30FC\u30C9\u64CD\u4F5C\u304C\u5931\u6557\u3057\u3001\u30D5\u30A9\u30FC\u30EB\u30D0\u30C3\u30AF\u306B\u623B\u308A\u307E\u3059\u3002\u30D5\u30A1\u30A4\u30EB\u3092\u30C6\u30AD\u30B9\u30C8\u3068\u3057\u3066\u8AAD\u53D6\u308A\u4E2D\u306B\u30EA\u30BD\u30FC\u30B9\u30FB\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F(href=''{0}'')\u3002\u7406\u7531: {1} NO_XPointerSchema = \u30C7\u30D5\u30A9\u30EB\u30C8\u3067\u306F\u3001\"{0}\"\u306E\u30B9\u30AD\u30FC\u30DE\u306F\u30B5\u30DD\u30FC\u30C8\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002{0}\u306B\u5BFE\u3057\u3066\u72EC\u81EA\u306E\u30B9\u30AD\u30FC\u30DE\u3092\u5B9A\u7FA9\u3057\u3066\u304F\u3060\u3055\u3044\u3002http://apache.org/xml/properties/xpointer-schema\u3092\u53C2\u7167\u3057\u3066\u304F\u3060\u3055\u3044
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_ko.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_ko.properties Mon Jun 03 15:27:00 2013 +0200 @@ -39,7 +39,7 @@ HrefMissing = 'include' \uC694\uC18C\uC758 'href' \uC18D\uC131\uC774 \uB204\uB77D\uB418\uC5C8\uC2B5\uB2C8\uB2E4. RecursiveInclude = \uC21C\uD658 include\uAC00 \uAC10\uC9C0\uB418\uC5C8\uC2B5\uB2C8\uB2E4. ''{0}'' \uBB38\uC11C\uAC00 \uC774\uBBF8 \uCC98\uB9AC\uB418\uC5C8\uC2B5\uB2C8\uB2E4. InvalidParseValue = ''include'' \uC694\uC18C\uC5D0 ''parse'' \uC18D\uC131\uC5D0 \uB300\uD574 \uBD80\uC801\uD569\uD55C \uAC12\uC774 \uC788\uC74C: ''{0}''. -XMLParseError = XML \uD30C\uC77C(href=''{0}'')\uC758 \uAD6C\uBB38\uC744 \uBD84\uC11D\uD558\uB824\uACE0 \uC2DC\uB3C4\uD558\uB294 \uC911 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4. +XMLParseError = XML \uD30C\uC77C(href=''{0}'')\uC758 \uAD6C\uBB38\uC744 \uBD84\uC11D\uD558\uB824\uACE0 \uC2DC\uB3C4\uD558\uB294 \uC911 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4.\uC6D0\uC778: {1} XMLResourceError = Include \uC791\uC5C5\uC744 \uC2E4\uD328\uD558\uC5EC fallback\uC73C\uB85C \uBCF5\uC6D0\uD558\uB294 \uC911\uC785\uB2C8\uB2E4. \uD30C\uC77C\uC744 XML(href=''{0}'')\uB85C \uC77D\uB294 \uC911 \uB9AC\uC18C\uC2A4 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4. \uC6D0\uC778: {1} TextResourceError = Include \uC791\uC5C5\uC744 \uC2E4\uD328\uD558\uC5EC fallback\uC73C\uB85C \uBCF5\uC6D0\uD558\uB294 \uC911\uC785\uB2C8\uB2E4. \uD30C\uC77C\uC744 \uD14D\uC2A4\uD2B8(href=''{0}'')\uB85C \uC77D\uB294 \uC911 \uB9AC\uC18C\uC2A4 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4. \uC6D0\uC778: {1} NO_XPointerSchema = \uAE30\uBCF8\uC801\uC73C\uB85C \"{0}\"\uC5D0 \uB300\uD55C \uC2A4\uD0A4\uB9C8\uB294 \uC9C0\uC6D0\uB418\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4. {0}\uC5D0 \uB300\uD574 \uACE0\uC720\uD55C \uC2A4\uD0A4\uB9C8\uB97C \uC815\uC758\uD558\uC2ED\uC2DC\uC624. http://apache.org/xml/properties/xpointer-schema\uB97C \uCC38\uC870\uD558\uC2ED\uC2DC\uC624.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_pt_BR.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_pt_BR.properties Mon Jun 03 15:27:00 2013 +0200 @@ -39,7 +39,7 @@ HrefMissing = O atributo 'href' de um elemento 'include' n\u00E3o foi encontrado. RecursiveInclude = Inclus\u00E3o recursiva detectada. O documento ''{0}'' j\u00E1 foi processado. InvalidParseValue = Valor inv\u00E1lido para o atributo ''parse'' no elemento ''include'': ''{0}''. -XMLParseError = Erro ao tentar fazer parse do arquivo XML (href=''{0}''). +XMLParseError = Erro ao tentar fazer parse do arquivo XML (href=''{0}''). Motivo: {1} XMLResourceError = Falha na opera\u00E7\u00E3o de inclus\u00E3o; revertendo para fallback. Erro do recurso ao ler o arquivo como XML (href=''{0}''). Motivo: {1} TextResourceError = Falha na opera\u00E7\u00E3o de inclus\u00E3o; revertendo para fallback. Erro do recurso ao ler o arquivo como texto (href=''{0}''). Motivo: {1} NO_XPointerSchema = Por default, o esquema para \"{0}\" n\u00E3o \u00E9 suportado. Defina seu pr\u00F3prio esquema para {0}. Consulte http://apache.org/xml/properties/xpointer-schema
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_sv.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_sv.properties Mon Jun 03 15:27:00 2013 +0200 @@ -39,7 +39,7 @@ HrefMissing = Ett 'href'-attribut i ett 'include'-element saknas. RecursiveInclude = Rekursiv inkludering uppt\u00E4cktes. Dokumentet ''{0}'' har redan bearbetats. InvalidParseValue = Ogiltigt v\u00E4rde f\u00F6r ''parse''-attribut i ''include''-element: ''{0}''. -XMLParseError = Fel vid f\u00F6rs\u00F6k att tolka XML-fil (href=''{0}''). +XMLParseError = Fel vid f\u00F6rs\u00F6k att tolka XML-fil (href=''{0}''). Orsak: {1} XMLResourceError = Inkluderings\u00E5tg\u00E4rden utf\u00F6rdes inte, \u00E5terst\u00E4ller genom att \u00E5terskapa. Resursfel vid l\u00E4sning av fil som XML (href=''{0}''). Orsak: {1} TextResourceError = Inkluderings\u00E5tg\u00E4rden utf\u00F6rdes inte, \u00E5terst\u00E4ller genom att \u00E5terskapa. Resursfel vid l\u00E4sning av fil som text (href=''{0}''). Orsak: {1} NO_XPointerSchema = Schema f\u00F6r \"{0}\" st\u00F6ds inte som standard. Definiera ett eget schema f\u00F6r {0}.Se http://apache.org/xml/properties/xpointer-schema
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_zh_CN.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_zh_CN.properties Mon Jun 03 15:27:00 2013 +0200 @@ -39,7 +39,7 @@ HrefMissing = \u7F3A\u5C11 'include' \u5143\u7D20\u7684 'href' \u5C5E\u6027\u3002 RecursiveInclude = \u68C0\u6D4B\u5230\u9012\u5F52 include\u3002\u5DF2\u5904\u7406\u6587\u6863 ''{0}''\u3002 InvalidParseValue = ''include'' \u5143\u7D20\u7684 ''parse'' \u5C5E\u6027\u7684\u503C\u65E0\u6548: ''{0}''\u3002 -XMLParseError = \u5C1D\u8BD5\u5BF9 XML \u6587\u4EF6 (href=''{0}'') \u8FDB\u884C\u8BED\u6CD5\u5206\u6790\u65F6\u51FA\u9519\u3002 +XMLParseError = \u5C1D\u8BD5\u5BF9 XML \u6587\u4EF6 (href=''{0}'') \u8FDB\u884C\u8BED\u6CD5\u5206\u6790\u65F6\u51FA\u9519\u3002\u539F\u56E0: {1} XMLResourceError = Include \u64CD\u4F5C\u5931\u8D25, \u5E76\u8FD8\u539F\u4E3A fallback\u3002\u4EE5 XML (href=''{0}'') \u683C\u5F0F\u8BFB\u53D6\u6587\u4EF6\u65F6\u51FA\u73B0\u8D44\u6E90\u9519\u8BEF\u3002\u539F\u56E0: {1} TextResourceError = Include \u64CD\u4F5C\u5931\u8D25, \u5E76\u8FD8\u539F\u4E3A fallback\u3002\u4EE5\u6587\u672C (href=''{0}'') \u683C\u5F0F\u8BFB\u53D6\u6587\u4EF6\u65F6\u51FA\u73B0\u8D44\u6E90\u9519\u8BEF\u3002\u539F\u56E0: {1} NO_XPointerSchema = \u9ED8\u8BA4\u60C5\u51B5\u4E0B, \u4E0D\u652F\u6301 \"{0}\" \u7684\u65B9\u6848\u3002\u8BF7\u4E3A{0}\u5B9A\u4E49\u60A8\u81EA\u5DF1\u7684\u65B9\u6848\u3002\u8BF7\u8BBF\u95EE http://apache.org/xml/properties/xpointer-schema
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_zh_TW.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages_zh_TW.properties Mon Jun 03 15:27:00 2013 +0200 @@ -39,7 +39,7 @@ HrefMissing = \u907A\u6F0F 'include' \u5143\u7D20\u7684 'href' \u5C6C\u6027\u3002 RecursiveInclude = \u5075\u6E2C\u5230\u905E\u8FF4\u5305\u542B\u3002\u5DF2\u7D93\u8655\u7406\u6587\u4EF6 ''{0}''\u3002 InvalidParseValue = ''include'' \u5143\u7D20\u4E0A ''parse'' \u5C6C\u6027\u7684\u7121\u6548\u503C: ''{0}''\u3002 -XMLParseError = \u5617\u8A66\u5256\u6790 XML \u6A94\u6848\u6642\u767C\u751F\u932F\u8AA4 (href=''{0}'')\u3002 +XMLParseError = \u5617\u8A66\u5256\u6790 XML \u6A94\u6848\u6642\u767C\u751F\u932F\u8AA4 (href=''{0}'')\u3002\u539F\u56E0: {1} XMLResourceError = \u5305\u542B\u4F5C\u696D\u5931\u6557\uFF0C\u56DE\u5FA9\u81F3\u5F8C\u63F4\u3002\u4EE5 XML (href=''{0}'') \u65B9\u5F0F\u8B80\u53D6\u6A94\u6848\u6642\u767C\u751F\u8CC7\u6E90\u932F\u8AA4\u3002\u539F\u56E0: {1} TextResourceError = \u5305\u542B\u4F5C\u696D\u5931\u6557\uFF0C\u56DE\u5FA9\u81F3\u5F8C\u63F4\u3002\u4EE5\u6587\u5B57 (href=''{0}'') \u65B9\u5F0F\u8B80\u53D6\u6A94\u6848\u6642\u767C\u751F\u8CC7\u6E90\u932F\u8AA4\u3002\u539F\u56E0: {1} NO_XPointerSchema = \u9810\u8A2D\u4E0D\u652F\u63F4 \"{0}\" \u7684\u7DB1\u8981\u3002\u8ACB\u70BA {0} \u5B9A\u7FA9\u60A8\u81EA\u5DF1\u7684\u7DB1\u8981\u3002\u8ACB\u53C3\u95B1 http://apache.org/xml/properties/xpointer-schema
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter.java Mon Jun 03 15:27:00 2013 +0200 @@ -20,12 +20,11 @@ package com.sun.org.apache.xerces.internal.impl.msg; +import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.util.Locale; import java.util.MissingResourceException; import java.util.ResourceBundle; -import java.util.PropertyResourceBundle; - -import com.sun.org.apache.xerces.internal.util.MessageFormatter; /** * XMLMessageFormatter provides error messages for the XML 1.0 Recommendation and for @@ -34,7 +33,7 @@ * @xerces.internal * * @author Eric Ye, IBM - * @version $Id: XMLMessageFormatter.java 3020 2011-02-28 23:51:33Z joehw $ + * @version $Id: XMLMessageFormatter.java 3094 2012-03-21 05:50:01Z joehw $ * */ public class XMLMessageFormatter implements MessageFormatter { @@ -72,12 +71,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_de.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_de.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,6 +26,7 @@ import java.util.PropertyResourceBundle; import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; /** * XMLMessageFormatter provides error messages for the XML 1.0 Recommendation and for @@ -34,7 +35,7 @@ * @xerces.internal * * @author Eric Ye, IBM - * @version $Id: XMLMessageFormatter_de.java 3021 2011-03-01 00:12:28Z joehw $ + * @version $Id: XMLMessageFormatter_de.java 3094 2012-03-21 05:50:01Z joehw $ * */ public class XMLMessageFormatter_de implements MessageFormatter { @@ -72,12 +73,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_es.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_es.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,6 +26,7 @@ import java.util.PropertyResourceBundle; import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; /** * XMLMessageFormatter provides error messages for the XML 1.0 Recommendation and for @@ -34,7 +35,7 @@ * @xerces.internal * * @author Eric Ye, IBM - * @version $Id: XMLMessageFormatter_es.java 3021 2011-03-01 00:12:28Z joehw $ + * @version $Id: XMLMessageFormatter_es.java 3094 2012-03-21 05:50:01Z joehw $ * */ public class XMLMessageFormatter_es implements MessageFormatter { @@ -72,12 +73,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_fr.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_fr.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,6 +26,7 @@ import java.util.PropertyResourceBundle; import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; /** * XMLMessageFormatter provides error messages for the XML 1.0 Recommendation and for @@ -34,7 +35,7 @@ * @xerces.internal * * @author Eric Ye, IBM - * @version $Id: XMLMessageFormatter_fr.java 3021 2011-03-01 00:12:28Z joehw $ + * @version $Id: XMLMessageFormatter_fr.java 3094 2012-03-21 05:50:01Z joehw $ * */ public class XMLMessageFormatter_fr implements MessageFormatter { @@ -72,12 +73,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_it.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_it.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,6 +26,7 @@ import java.util.PropertyResourceBundle; import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; /** * XMLMessageFormatter provides error messages for the XML 1.0 Recommendation and for @@ -34,7 +35,7 @@ * @xerces.internal * * @author Eric Ye, IBM - * @version $Id: XMLMessageFormatter_it.java 3021 2011-03-01 00:12:28Z joehw $ + * @version $Id: XMLMessageFormatter_it.java 3094 2012-03-21 05:50:01Z joehw $ * */ public class XMLMessageFormatter_it implements MessageFormatter { @@ -72,12 +73,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_ja.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_ja.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,6 +26,7 @@ import java.util.PropertyResourceBundle; import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; /** * XMLMessageFormatter provides error messages for the XML 1.0 Recommendation and for @@ -34,7 +35,7 @@ * @xerces.internal * * @author Eric Ye, IBM - * @version $Id: XMLMessageFormatter_ja.java 3021 2011-03-01 00:12:28Z joehw $ + * @version $Id: XMLMessageFormatter_ja.java 3094 2012-03-21 05:50:01Z joehw $ * */ public class XMLMessageFormatter_ja implements MessageFormatter { @@ -72,12 +73,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_ko.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_ko.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,6 +26,7 @@ import java.util.PropertyResourceBundle; import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; /** * XMLMessageFormatter provides error messages for the XML 1.0 Recommendation and for @@ -34,7 +35,7 @@ * @xerces.internal * * @author Eric Ye, IBM - * @version $Id: XMLMessageFormatter_ko.java 3021 2011-03-01 00:12:28Z joehw $ + * @version $Id: XMLMessageFormatter_ko.java 3094 2012-03-21 05:50:01Z joehw $ * */ public class XMLMessageFormatter_ko implements MessageFormatter { @@ -72,12 +73,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_pt_BR.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_pt_BR.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,6 +26,7 @@ import java.util.PropertyResourceBundle; import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; /** * XMLMessageFormatter provides error messages for the XML 1.0 Recommendation and for @@ -34,7 +35,7 @@ * @xerces.internal * * @author Eric Ye, IBM - * @version $Id: XMLMessageFormatter_pt_BR.java 3021 2011-03-01 00:12:28Z joehw $ + * @version $Id: XMLMessageFormatter_pt_BR.java 3094 2012-03-21 05:50:01Z joehw $ * */ public class XMLMessageFormatter_pt_BR implements MessageFormatter { @@ -72,12 +73,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_sv.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_sv.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,6 +26,7 @@ import java.util.PropertyResourceBundle; import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; /** * XMLMessageFormatter provides error messages for the XML 1.0 Recommendation and for @@ -34,7 +35,7 @@ * @xerces.internal * * @author Eric Ye, IBM - * @version $Id: XMLMessageFormatter_sv.java 3021 2011-03-01 00:12:28Z joehw $ + * @version $Id: XMLMessageFormatter_sv.java 3094 2012-03-21 05:50:01Z joehw $ * */ public class XMLMessageFormatter_sv implements MessageFormatter { @@ -72,12 +73,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_zh_CN.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_zh_CN.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,6 +26,7 @@ import java.util.PropertyResourceBundle; import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; /** * XMLMessageFormatter provides error messages for the XML 1.0 Recommendation and for @@ -34,7 +35,7 @@ * @xerces.internal * * @author Eric Ye, IBM - * @version $Id: XMLMessageFormatter_zh_CN.java 3021 2011-03-01 00:12:28Z joehw $ + * @version $Id: XMLMessageFormatter_zh_CN.java 3094 2012-03-21 05:50:01Z joehw $ * */ public class XMLMessageFormatter_zh_CN implements MessageFormatter { @@ -72,12 +73,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_zh_TW.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessageFormatter_zh_TW.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,6 +26,7 @@ import java.util.PropertyResourceBundle; import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; /** * XMLMessageFormatter provides error messages for the XML 1.0 Recommendation and for @@ -34,7 +35,7 @@ * @xerces.internal * * @author Eric Ye, IBM - * @version $Id: XMLMessageFormatter_zh_TW.java 3021 2011-03-01 00:12:28Z joehw $ + * @version $Id: XMLMessageFormatter_zh_TW.java 3094 2012-03-21 05:50:01Z joehw $ * */ public class XMLMessageFormatter_zh_TW implements MessageFormatter { @@ -72,12 +73,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties Mon Jun 03 15:27:00 2013 +0200 @@ -261,6 +261,9 @@ # Entity related messages # 3.1 Start-Tags, End-Tags, and Empty-Element Tags ReferenceToExternalEntity = The external entity reference \"&{0};\" is not permitted in an attribute value. + AccessExternalDTD = External DTD: Failed to read external DTD ''{0}'', because ''{1}'' access is not allowed. + AccessExternalEntity = External Entity: Failed to read external document ''{0}'', because ''{1}'' access is not allowed. + # 4.1 Character and Entity References EntityNotDeclared = The entity \"{0}\" was referenced, but not declared. ReferenceToUnparsedEntity = The unparsed entity reference \"&{0};\" is not permitted.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_de.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_de.properties Mon Jun 03 15:27:00 2013 +0200 @@ -289,6 +289,9 @@ # Entity related messages # 3.1 Start-Tags, End-Tags, and Empty-Element Tags ReferenceToExternalEntity = Externe Entit\u00E4tsreferenz \"&{0};\" ist in einem Attributwert nicht zul\u00E4ssig. + AccessExternalDTD = External DTD: Failed to read external DTD ''{0}'', because ''{1}'' access is not allowed. + AccessExternalEntity = External Entity: Failed to read external document ''{0}'', because ''{1}'' access is not allowed. + # 4.1 Character and Entity References EntityNotDeclared = Entit\u00E4t \"{0}\" wurde referenziert aber nicht deklariert. ReferenceToUnparsedEntity = Nicht geparste Entit\u00E4tsreferenz \"&{0};\" ist nicht zul\u00E4ssig.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_es.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_es.properties Mon Jun 03 15:27:00 2013 +0200 @@ -289,6 +289,9 @@ # Entity related messages # 3.1 Start-Tags, End-Tags, and Empty-Element Tags ReferenceToExternalEntity = La referencia de entidad externa \"&{0};\" no est\u00E1 permitida en un valor de atributo. + AccessExternalDTD = External DTD: Failed to read external DTD ''{0}'', because ''{1}'' access is not allowed. + AccessExternalEntity = External Entity: Failed to read external document ''{0}'', because ''{1}'' access is not allowed. + # 4.1 Character and Entity References EntityNotDeclared = Se hizo referencia a la entidad \"{0}\", pero no se declar\u00F3. ReferenceToUnparsedEntity = La referencia de entidad no analizada \"&{0};\" no est\u00E1 permitida.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_fr.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_fr.properties Mon Jun 03 15:27:00 2013 +0200 @@ -289,6 +289,9 @@ # Entity related messages # 3.1 Start-Tags, End-Tags, and Empty-Element Tags ReferenceToExternalEntity = La r\u00E9f\u00E9rence d''entit\u00E9 externe \"&{0};\" n''est pas autoris\u00E9e dans une valeur d''attribut. + AccessExternalDTD = External DTD: Failed to read external DTD ''{0}'', because ''{1}'' access is not allowed. + AccessExternalEntity = External Entity: Failed to read external document ''{0}'', because ''{1}'' access is not allowed. + # 4.1 Character and Entity References EntityNotDeclared = L''entit\u00E9 \"{0}\" \u00E9tait r\u00E9f\u00E9renc\u00E9e, mais pas d\u00E9clar\u00E9e. ReferenceToUnparsedEntity = La r\u00E9f\u00E9rence d''entit\u00E9 non analys\u00E9e \"&{0};\" n''est pas autoris\u00E9e.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_it.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_it.properties Mon Jun 03 15:27:00 2013 +0200 @@ -289,6 +289,9 @@ # Entity related messages # 3.1 Start-Tags, End-Tags, and Empty-Element Tags ReferenceToExternalEntity = Il riferimento di entit\u00E0 esterna \"&{0};\" non \u00E8 consentito in un valore di attributo. + AccessExternalDTD = External DTD: Failed to read external DTD ''{0}'', because ''{1}'' access is not allowed. + AccessExternalEntity = External Entity: Failed to read external document ''{0}'', because ''{1}'' access is not allowed. + # 4.1 Character and Entity References EntityNotDeclared = L''entit\u00E0 \"{0}\" \u00E8 indicata da un riferimento, ma non \u00E8 dichiarata. ReferenceToUnparsedEntity = Il riferimento di entit\u00E0 non analizzata \"&{0};\" non \u00E8 consentito.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_ja.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_ja.properties Mon Jun 03 15:27:00 2013 +0200 @@ -289,6 +289,9 @@ # Entity related messages # 3.1 Start-Tags, End-Tags, and Empty-Element Tags ReferenceToExternalEntity = \u5916\u90E8\u30A8\u30F3\u30C6\u30A3\u30C6\u30A3\u53C2\u7167\"&{0};\"\u306F\u3001\u5C5E\u6027\u5024\u3067\u306F\u8A31\u53EF\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002 + AccessExternalDTD = External DTD: Failed to read external DTD ''{0}'', because ''{1}'' access is not allowed. + AccessExternalEntity = External Entity: Failed to read external document ''{0}'', because ''{1}'' access is not allowed. + # 4.1 Character and Entity References EntityNotDeclared = \u30A8\u30F3\u30C6\u30A3\u30C6\u30A3\"{0}\"\u304C\u53C2\u7167\u3055\u308C\u3066\u3044\u307E\u3059\u304C\u3001\u5BA3\u8A00\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002 ReferenceToUnparsedEntity = \u672A\u89E3\u6790\u30A8\u30F3\u30C6\u30A3\u30C6\u30A3\u53C2\u7167\"&{0};\"\u306F\u8A31\u53EF\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_ko.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_ko.properties Mon Jun 03 15:27:00 2013 +0200 @@ -289,6 +289,9 @@ # Entity related messages # 3.1 Start-Tags, End-Tags, and Empty-Element Tags ReferenceToExternalEntity = \uC18D\uC131\uAC12\uC5D0\uC11C\uB294 \uC678\uBD80 \uC5D4\uD2F0\uD2F0 \uCC38\uC870 \"&{0};\"\uC774 \uD5C8\uC6A9\uB418\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4. + AccessExternalDTD = External DTD: Failed to read external DTD ''{0}'', because ''{1}'' access is not allowed. + AccessExternalEntity = External Entity: Failed to read external document ''{0}'', because ''{1}'' access is not allowed. + # 4.1 Character and Entity References EntityNotDeclared = \"{0}\" \uC5D4\uD2F0\uD2F0\uAC00 \uCC38\uC870\uB418\uC5C8\uC9C0\uB9CC \uC120\uC5B8\uB418\uC9C0 \uC54A\uC558\uC2B5\uB2C8\uB2E4. ReferenceToUnparsedEntity = \uAD6C\uBB38\uC774 \uBD84\uC11D\uB418\uC9C0 \uC54A\uC740 \uC5D4\uD2F0\uD2F0 \uCC38\uC870 \"&{0};\"\uC740(\uB294) \uD5C8\uC6A9\uB418\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_pt_BR.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_pt_BR.properties Mon Jun 03 15:27:00 2013 +0200 @@ -289,6 +289,9 @@ # Entity related messages # 3.1 Start-Tags, End-Tags, and Empty-Element Tags ReferenceToExternalEntity = A refer\u00EAncia da entidade externa \"&{0};\" n\u00E3o \u00E9 permitida em um valor do atributo. + AccessExternalDTD = External DTD: Failed to read external DTD ''{0}'', because ''{1}'' access is not allowed. + AccessExternalEntity = External Entity: Failed to read external document ''{0}'', because ''{1}'' access is not allowed. + # 4.1 Character and Entity References EntityNotDeclared = A entidade \"{0}\" foi referenciada, mas n\u00E3o declarada. ReferenceToUnparsedEntity = A refer\u00EAncia da entidade n\u00E3o submetida a parse \"&{0};\" n\u00E3o \u00E9 permitida.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_sv.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_sv.properties Mon Jun 03 15:27:00 2013 +0200 @@ -289,6 +289,9 @@ # Entity related messages # 3.1 Start-Tags, End-Tags, and Empty-Element Tags ReferenceToExternalEntity = Den externa enhetsreferensen \"&{0};\" till\u00E5ts inte i ett attributv\u00E4rde. + AccessExternalDTD = External DTD: Failed to read external DTD ''{0}'', because ''{1}'' access is not allowed. + AccessExternalEntity = External Entity: Failed to read external document ''{0}'', because ''{1}'' access is not allowed. + # 4.1 Character and Entity References EntityNotDeclared = Enheten \"{0}\" har refererats, men \u00E4r inte deklarerad. ReferenceToUnparsedEntity = Den otolkade enhetsreferensen \"&{0};\" \u00E4r inte till\u00E5ten.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_zh_CN.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_zh_CN.properties Mon Jun 03 15:27:00 2013 +0200 @@ -289,6 +289,9 @@ # Entity related messages # 3.1 Start-Tags, End-Tags, and Empty-Element Tags ReferenceToExternalEntity = \u5C5E\u6027\u503C\u4E2D\u4E0D\u5141\u8BB8\u91C7\u7528\u5916\u90E8\u5B9E\u4F53\u5F15\u7528 \"&{0};\"\u3002 + AccessExternalDTD = External DTD: Failed to read external DTD ''{0}'', because ''{1}'' access is not allowed. + AccessExternalEntity = External Entity: Failed to read external document ''{0}'', because ''{1}'' access is not allowed. + # 4.1 Character and Entity References EntityNotDeclared = \u5F15\u7528\u4E86\u5B9E\u4F53 \"{0}\", \u4F46\u672A\u58F0\u660E\u5B83\u3002 ReferenceToUnparsedEntity = \u4E0D\u5141\u8BB8\u4F7F\u7528\u672A\u8FDB\u884C\u8BED\u6CD5\u5206\u6790\u7684\u5B9E\u4F53\u5F15\u7528 \"&{0};\"\u3002
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_zh_TW.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages_zh_TW.properties Mon Jun 03 15:27:00 2013 +0200 @@ -289,6 +289,9 @@ # Entity related messages # 3.1 Start-Tags, End-Tags, and Empty-Element Tags ReferenceToExternalEntity = \u5C6C\u6027\u503C\u4E0D\u5141\u8A31\u53C3\u7167\u5916\u90E8\u500B\u9AD4 \"&{0};\"\u3002 + AccessExternalDTD = External DTD: Failed to read external DTD ''{0}'', because ''{1}'' access is not allowed. + AccessExternalEntity = External Entity: Failed to read external document ''{0}'', because ''{1}'' access is not allowed. + # 4.1 Character and Entity References EntityNotDeclared = \u53C3\u7167\u4E86\u500B\u9AD4 \"{0}\"\uFF0C\u4F46\u662F\u672A\u5BA3\u544A\u3002 ReferenceToUnparsedEntity = \u4E0D\u5141\u8A31\u672A\u5256\u6790\u7684\u500B\u9AD4\u53C3\u7167 \"&{0};\"\u3002
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages.properties Mon Jun 03 15:27:00 2013 +0200 @@ -86,6 +86,7 @@ #schema valid (3.X.3) + schema_reference.access = schema_reference: Failed to read schema document ''{0}'', because ''{1}'' access is not allowed. schema_reference.4 = schema_reference.4: Failed to read schema document ''{0}'', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>. src-annotation = src-annotation: <annotation> elements can only contain <appinfo> and <documentation> elements, but ''{0}'' was found. src-attribute.1 = src-attribute.1: The properties ''default'' and ''fixed'' cannot both be present in attribute declaration ''{0}''. Use only one of them. @@ -289,6 +290,3 @@ TargetNamespace.2 = TargetNamespace.2: Expecting no namespace, but the schema document has a target namespace of ''{1}''. UndeclaredEntity = UndeclaredEntity: Entity ''{0}'' is not declared. UndeclaredPrefix = UndeclaredPrefix: Cannot resolve ''{0}'' as a QName: the prefix ''{1}'' is not declared. -null -null -null
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_de.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_de.properties Mon Jun 03 15:27:00 2013 +0200 @@ -114,6 +114,7 @@ #schema valid (3.X.3) + schema_reference.access = schema_reference: Failed to read schema document ''{0}'', because ''{1}'' access is not allowed. schema_reference.4 = schema_reference.4: Schemadokument "{0}" konnte nicht gelesen werden, da 1) das Dokument nicht gefunden werden konnte; 2) das Dokument nicht gelesen werden konnte; 3) das Root-Element des Dokuments nicht <xsd:schema> ist. src-annotation = src-annotation: <annotation>-Elemente k\u00F6nnen nur <appinfo>- und <documentation>-Elemente enthalten, aber es wurde "{0}" gefunden. src-attribute.1 = src-attribute.1: Die Eigenschaften "default" und "fixed" k\u00F6nnen nicht beide in der Attributdeklaration "{0}" vorhanden sein. Verwenden Sie nur eine dieser Eigenschaften.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_es.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_es.properties Mon Jun 03 15:27:00 2013 +0200 @@ -114,6 +114,7 @@ #schema valid (3.X.3) + schema_reference.access = schema_reference: Failed to read schema document ''{0}'', because ''{1}'' access is not allowed. schema_reference.4 = schema_reference.4: Fallo al leer el documento de esquema ''{0}'', porque 1) no se ha encontrado el documento; 2) no se ha podido leer el documento; 3) el elemento ra\u00EDz del documento no es <xsd:schema>. src-annotation = src-annotation: Los elementos de <annotation> s\u00F3lo pueden contener elementos de <appinfo> y <documentation>, pero se ha encontrado ''{0}''. src-attribute.1 = src-attribute.1: Las propiedades ''default'' y ''fixed'' no pueden estar presentes de forma simult\u00E1nea en la declaraci\u00F3n de atributo ''{0}''. Utilice s\u00F3lo una de ellas.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_fr.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_fr.properties Mon Jun 03 15:27:00 2013 +0200 @@ -114,6 +114,7 @@ #schema valid (3.X.3) + schema_reference.access = schema_reference: Failed to read schema document ''{0}'', because ''{1}'' access is not allowed. schema_reference.4 = schema_reference.4 : Echec de la lecture du document de sch\u00E9ma ''{0}'' pour les raisons suivantes : 1) Le document est introuvable ; 2) Le document n''a pas pu \u00EAtre lu ; 3) L''\u00E9l\u00E9ment racine du document n''est pas <xsd:schema>. src-annotation = src-annotation : Les \u00E9l\u00E9ments <annotation> ne peuvent contenir que des \u00E9l\u00E9ments <appinfo> et <documentation>, mais ''{0}'' a \u00E9t\u00E9 trouv\u00E9. src-attribute.1 = src-attribute.1 : Les propri\u00E9t\u00E9s ''default'' et ''fixed'' ne peuvent pas figurer simultan\u00E9ment dans la d\u00E9claration d''attribut ''{0}''. Utilisez uniquement l''une d''entre elles.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_it.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_it.properties Mon Jun 03 15:27:00 2013 +0200 @@ -114,6 +114,7 @@ #schema valid (3.X.3) + schema_reference.access = schema_reference: Failed to read schema document ''{0}'', because ''{1}'' access is not allowed. schema_reference.4 = schema_reference.4: lettura del documento di schema "{0}" non riuscita perch\u00E9 1) non \u00E8 stato possibile trovare il documento; 2) non \u00E8 stato possibile leggere il documento; 3) l''elemento radice del documento non \u00E8 <xsd:schema>. src-annotation = src-annotation: possono essere contenuti soltanto elementi <appinfo> e <documentation>, ma \u00E8 stato trovato ''{0}''. src-attribute.1 = src-attribute.1: le propriet\u00E0 ''default'' e ''fixed'' non possono essere entrambi presenti nella dichiarazione di attributo ''{0}''. Utilizzarne solo una.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_ja.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_ja.properties Mon Jun 03 15:27:00 2013 +0200 @@ -114,6 +114,7 @@ #schema valid (3.X.3) + schema_reference.access = schema_reference: Failed to read schema document ''{0}'', because ''{1}'' access is not allowed. schema_reference.4 = schema_reference.4: 1)\u30C9\u30AD\u30E5\u30E1\u30F3\u30C8\u304C\u898B\u3064\u304B\u3089\u306A\u304B\u3063\u305F\u30012)\u30C9\u30AD\u30E5\u30E1\u30F3\u30C8\u3092\u8AAD\u307F\u53D6\u308C\u306A\u304B\u3063\u305F\u30013)\u30C9\u30AD\u30E5\u30E1\u30F3\u30C8\u306E\u30EB\u30FC\u30C8\u8981\u7D20\u304C<xsd:schema>\u3067\u306F\u306A\u304B\u3063\u305F\u305F\u3081\u3001\u30B9\u30AD\u30FC\u30DE\u30FB\u30C9\u30AD\u30E5\u30E1\u30F3\u30C8''{0}''\u306E\u8AAD\u53D6\u308A\u306B\u5931\u6557\u3057\u307E\u3057\u305F\u3002 src-annotation = src-annotation: <annotation>\u8981\u7D20\u306B\u542B\u3081\u308B\u3053\u3068\u304C\u3067\u304D\u308B\u306E\u306F<appinfo>\u8981\u7D20\u304A\u3088\u3073<documentation>\u8981\u7D20\u306E\u307F\u3067\u3059\u304C\u3001''{0}''\u304C\u898B\u3064\u304B\u308A\u307E\u3057\u305F\u3002 src-attribute.1 = src-attribute.1: ''default''\u3068''fixed''\u306E\u4E21\u65B9\u306E\u30D7\u30ED\u30D1\u30C6\u30A3\u3092\u5C5E\u6027\u5BA3\u8A00''{0}''\u306B\u542B\u3081\u308B\u3053\u3068\u306F\u3067\u304D\u307E\u305B\u3093\u3002\u3044\u305A\u308C\u304B\u4E00\u65B9\u306E\u307F\u3092\u4F7F\u7528\u3057\u3066\u304F\u3060\u3055\u3044\u3002
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_ko.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_ko.properties Mon Jun 03 15:27:00 2013 +0200 @@ -114,6 +114,7 @@ #schema valid (3.X.3) + schema_reference.access = schema_reference: Failed to read schema document ''{0}'', because ''{1}'' access is not allowed. schema_reference.4 = schema_reference.4: \uC2A4\uD0A4\uB9C8 \uBB38\uC11C ''{0}'' \uC77D\uAE30\uB97C \uC2E4\uD328\uD588\uC2B5\uB2C8\uB2E4. \uC6D0\uC778: 1) \uBB38\uC11C\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4. 2) \uBB38\uC11C\uB97C \uC77D\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4. 3) \uBB38\uC11C\uC758 \uB8E8\uD2B8 \uC694\uC18C\uAC00 <xsd:schema>\uAC00 \uC544\uB2D9\uB2C8\uB2E4. src-annotation = src-annotation: <annotation> \uC694\uC18C\uC5D0\uB294 <appinfo> \uBC0F <documentation> \uC694\uC18C\uB9CC \uD3EC\uD568\uB420 \uC218 \uC788\uC9C0\uB9CC ''{0}''\uC774(\uAC00) \uBC1C\uACAC\uB418\uC5C8\uC2B5\uB2C8\uB2E4. src-attribute.1 = src-attribute.1: ''default'' \uBC0F ''fixed'' \uC18D\uC131\uC740 \uC18D\uC131 \uC120\uC5B8 ''{0}''\uC5D0 \uD568\uAED8 \uC874\uC7AC\uD560 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4. \uD558\uB098\uB9CC \uC0AC\uC6A9\uD558\uC2ED\uC2DC\uC624.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_pt_BR.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_pt_BR.properties Mon Jun 03 15:27:00 2013 +0200 @@ -114,6 +114,7 @@ #schema valid (3.X.3) + schema_reference.access = schema_reference: Failed to read schema document ''{0}'', because ''{1}'' access is not allowed. schema_reference.4 = schema_reference.4: Falha ao ler o documento do esquema ''{0}'' porque 1) n\u00E3o foi poss\u00EDvel encontrar o documento; 2) n\u00E3o foi poss\u00EDvel ler o documento; 3) o elemento-raiz do documento n\u00E3o \u00E9 <xsd:schema>. src-annotation = src-annotation: os elementos de <annotation> podem conter somente os elementos <appinfo> e <documentation>, mas foi encontrado ''{0}''. src-attribute.1 = src-attribute.1: As propriedades ''default'' e ''fixed'' n\u00E3o podem estar presentes na declara\u00E7\u00E3o do atributo ''{0}''. Use somente uma delas.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_sv.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_sv.properties Mon Jun 03 15:27:00 2013 +0200 @@ -114,6 +114,7 @@ #schema valid (3.X.3) + schema_reference.access = schema_reference: Failed to read schema document ''{0}'', because ''{1}'' access is not allowed. schema_reference.4 = schema_reference.4: L\u00E4sning av schemadokument ''{0}'' utf\u00F6rdes inte p\u00E5 grund av 1) det g\u00E5r inte att hitta dokumentet; 2) det g\u00E5r inte att l\u00E4sa dokumentet; 3) dokumentets rotelement \u00E4r inte <xsd:schema>. src-annotation = src-annotation: element f\u00F6r <anteckningar> f\u00E5r endast inneh\u00E5lla element f\u00F6r <appinfo> och <dokumentation>, men ''{0}'' hittades. src-attribute.1 = src-attribute.1: B\u00E5da egenskaperna ''default'' och ''fixed'' kan inte samtidigt ing\u00E5 i attributdeklarationen ''{0}''. Anv\u00E4nd en av dem.
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_zh_CN.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_zh_CN.properties Mon Jun 03 15:27:00 2013 +0200 @@ -114,6 +114,7 @@ #schema valid (3.X.3) + schema_reference.access = schema_reference: Failed to read schema document ''{0}'', because ''{1}'' access is not allowed. schema_reference.4 = schema_reference.4: \u65E0\u6CD5\u8BFB\u53D6\u65B9\u6848\u6587\u6863 ''{0}'', \u539F\u56E0\u4E3A 1) \u65E0\u6CD5\u627E\u5230\u6587\u6863; 2) \u65E0\u6CD5\u8BFB\u53D6\u6587\u6863; 3) \u6587\u6863\u7684\u6839\u5143\u7D20\u4E0D\u662F <xsd:schema>\u3002 src-annotation = src-annotation: <annotation> \u5143\u7D20\u53EA\u80FD\u5305\u542B <appinfo> \u548C <documentation> \u5143\u7D20, \u4F46\u53D1\u73B0\u4E86 ''{0}''\u3002 src-attribute.1 = src-attribute.1: \u5C5E\u6027\u58F0\u660E ''{0}'' \u4E2D\u4E0D\u80FD\u540C\u65F6\u5B58\u5728\u7279\u6027 ''default'' \u548C ''fixed''\u3002\u5E94\u53EA\u4F7F\u7528\u5176\u4E2D\u4E00\u4E2A\u3002
--- a/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_zh_TW.properties Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/msg/XMLSchemaMessages_zh_TW.properties Mon Jun 03 15:27:00 2013 +0200 @@ -114,6 +114,7 @@ #schema valid (3.X.3) + schema_reference.access = schema_reference: Failed to read schema document ''{0}'', because ''{1}'' access is not allowed. schema_reference.4 = schema_reference.4: \u7121\u6CD5\u8B80\u53D6\u7DB1\u8981\u6587\u4EF6 ''{0}''\uFF0C\u56E0\u70BA 1) \u627E\u4E0D\u5230\u6587\u4EF6; 2) \u7121\u6CD5\u8B80\u53D6\u6587\u4EF6; 3) \u6587\u4EF6\u7684\u6839\u5143\u7D20\u4E0D\u662F <xsd:schema>\u3002 src-annotation = src-annotation: <annotation> \u5143\u7D20\u50C5\u80FD\u5305\u542B <appinfo> \u8207 <documentation> \u5143\u7D20\uFF0C\u4F46\u627E\u5230 ''{0}''\u3002 src-attribute.1 = src-attribute.1: \u5C6C\u6027 ''default'' \u8207 ''fixed'' \u4E0D\u53EF\u540C\u6642\u51FA\u73FE\u5728\u5C6C\u6027\u5BA3\u544A ''{0}'' \u4E2D\u3002\u8ACB\u53EA\u4F7F\u7528\u5176\u4E2D\u4E00\u500B\u3002
--- a/src/com/sun/org/apache/xerces/internal/impl/xpath/regex/RegexParser.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/xpath/regex/RegexParser.java Mon Jun 03 15:27:00 2013 +0200 @@ -20,6 +20,7 @@ package com.sun.org.apache.xerces.internal.impl.xpath.regex; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.util.Locale; import java.util.MissingResourceException; import java.util.ResourceBundle; @@ -95,10 +96,10 @@ public void setLocale(Locale locale) { try { if (locale != null) { - this.resources = ResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.xpath.regex.message", locale); + this.resources = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.xpath.regex.message", locale); } else { - this.resources = ResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.xpath.regex.message"); + this.resources = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.xpath.regex.message"); } } catch (MissingResourceException mre) {
--- a/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaLoader.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaLoader.java Mon Jun 03 15:27:00 2013 +0200 @@ -53,6 +53,7 @@ import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.util.XMLSymbols; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.grammars.Grammar; import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription; @@ -71,6 +72,7 @@ import com.sun.org.apache.xerces.internal.xs.XSModel; import java.util.HashMap; import java.util.Map; +import javax.xml.XMLConstants; import org.w3c.dom.DOMConfiguration; import org.w3c.dom.DOMError; import org.w3c.dom.DOMErrorHandler; @@ -216,6 +218,12 @@ protected static final String ENTITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.ENTITY_MANAGER_PROPERTY; + /** Property identifier: access to external dtd */ + public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** Property identifier: access to external schema */ + public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; + // recognized properties private static final String [] RECOGNIZED_PROPERTIES = { ENTITY_MANAGER, @@ -229,7 +237,9 @@ JAXP_SCHEMA_SOURCE, SECURITY_MANAGER, LOCALE, - SCHEMA_DV_FACTORY + SCHEMA_DV_FACTORY, + ACCESS_EXTERNAL_DTD, + ACCESS_EXTERNAL_SCHEMA }; // Data @@ -260,6 +270,8 @@ private final CMNodeFactory fNodeFactory = new CMNodeFactory(); //component mgr will be set later private CMBuilder fCMBuilder; private XSDDescription fXSDDescription = new XSDDescription(); + private String faccessExternalDTD = Constants.EXTERNAL_ACCESS_DEFAULT; + private String faccessExternalSchema = Constants.EXTERNAL_ACCESS_DEFAULT; private Map fJAXPCache; private Locale fLocale = Locale.getDefault(); @@ -454,6 +466,12 @@ fErrorReporter.putMessageFormatter(XSMessageFormatter.SCHEMA_DOMAIN, new XSMessageFormatter()); } } + else if (propertyId.equals(ACCESS_EXTERNAL_DTD)) { + faccessExternalDTD = (String) state; + } + else if (propertyId.equals(ACCESS_EXTERNAL_SCHEMA)) { + faccessExternalSchema = (String) state; + } } // setProperty(String, Object) /** @@ -585,6 +603,15 @@ if(!fJAXPProcessed) { processJAXPSchemaSource(locationPairs); } + + if (desc.isExternal()) { + String accessError = SecuritySupport.checkAccess(desc.getExpandedSystemId(), faccessExternalSchema, Constants.ACCESS_EXTERNAL_ALL); + if (accessError != null) { + throw new XNIException(fErrorReporter.reportError(XSMessageFormatter.SCHEMA_DOMAIN, + "schema_reference.access", + new Object[] { SecuritySupport.sanitizePath(desc.getExpandedSystemId()), accessError }, XMLErrorReporter.SEVERITY_ERROR)); + } + } SchemaGrammar grammar = fSchemaHandler.parseSchema(source, desc, locationPairs); return grammar; @@ -1038,6 +1065,9 @@ // get generate-synthetic-annotations feature fSchemaHandler.setGenerateSyntheticAnnotations(componentManager.getFeature(GENERATE_SYNTHETIC_ANNOTATIONS, false)); fSchemaHandler.reset(componentManager); + + faccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD); + faccessExternalSchema = (String) componentManager.getProperty(ACCESS_EXTERNAL_SCHEMA); } private void initGrammarBucket(){
--- a/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaValidator.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaValidator.java Mon Jun 03 15:27:00 2013 +0200 @@ -29,7 +29,7 @@ import java.util.Stack; import java.util.Vector; import java.util.ArrayList; - +import javax.xml.XMLConstants; import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.impl.RevalidationHandler; import com.sun.org.apache.xerces.internal.impl.XMLEntityManager; @@ -233,6 +233,12 @@ protected static final String SCHEMA_DV_FACTORY = Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY; + /** property identifier: access external dtd. */ + private static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** Property identifier: access to external schema */ + private static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; + protected static final String USE_SERVICE_MECHANISM = Constants.ORACLE_FEATURE_SERVICE_MECHANISM; // recognized features and properties @@ -291,11 +297,13 @@ JAXP_SCHEMA_SOURCE, JAXP_SCHEMA_LANGUAGE, SCHEMA_DV_FACTORY, + ACCESS_EXTERNAL_DTD, + ACCESS_EXTERNAL_SCHEMA }; /** Property defaults. */ private static final Object[] PROPERTY_DEFAULTS = - { null, null, null, null, null, null, null, null, null, null, null}; + { null, null, null, null, null, null, null, null, null, null, null, null, null}; // this is the number of valuestores of each kind // we expect an element to have. It's almost
--- a/src/com/sun/org/apache/xerces/internal/impl/xs/XSDDescription.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/xs/XSDDescription.java Mon Jun 03 15:27:00 2013 +0200 @@ -34,6 +34,7 @@ * @author Neil Graham, IBM * @author Neeraj Bajaj, SUN Microsystems. * + * @version $Id: XSDDescription.java,v 1.6 2010-11-01 04:39:55 joehw Exp $ */ public class XSDDescription extends XMLResourceIdentifierImpl implements XMLSchemaDescription { @@ -181,6 +182,17 @@ } /** + * @return true is the schema is external + */ + public boolean isExternal() { + return fContextType == CONTEXT_INCLUDE || + fContextType == CONTEXT_REDEFINE || + fContextType == CONTEXT_IMPORT || + fContextType == CONTEXT_ELEMENT || + fContextType == CONTEXT_ATTRIBUTE || + fContextType == CONTEXT_XSITYPE; + } + /** * Compares this grammar with the given grammar. Currently, we compare * the target namespaces. *
--- a/src/com/sun/org/apache/xerces/internal/impl/xs/XSMessageFormatter.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/xs/XSMessageFormatter.java Mon Jun 03 15:27:00 2013 +0200 @@ -20,11 +20,11 @@ package com.sun.org.apache.xerces.internal.impl.xs; +import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.util.Locale; import java.util.MissingResourceException; import java.util.ResourceBundle; -import java.util.PropertyResourceBundle; -import com.sun.org.apache.xerces.internal.util.MessageFormatter; /** @@ -34,6 +34,7 @@ * @xerces.internal * * @author Elena Litani, IBM + * @version $Id: XSMessageFormatter.java,v 1.6 2010-11-01 04:39:55 joehw Exp $ */ public class XSMessageFormatter implements MessageFormatter { /** @@ -66,12 +67,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLSchemaMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLSchemaMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLSchemaMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XMLSchemaMessages"); } String msg = fResourceBundle.getString(key);
--- a/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java Mon Jun 03 15:27:00 2013 +0200 @@ -77,6 +77,7 @@ import com.sun.org.apache.xerces.internal.util.SymbolTable; import com.sun.org.apache.xerces.internal.util.XMLSymbols; import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import com.sun.org.apache.xerces.internal.xni.QName; import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.grammars.Grammar; @@ -105,6 +106,7 @@ import com.sun.org.apache.xerces.internal.xs.XSTerm; import com.sun.org.apache.xerces.internal.xs.XSTypeDefinition; import com.sun.org.apache.xerces.internal.xs.datatypes.ObjectList; +import javax.xml.XMLConstants; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -221,6 +223,12 @@ protected static final String LOCALE = Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY; + /** property identifier: access external dtd. */ + public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** Property identifier: access to external schema */ + public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; + protected static final boolean DEBUG_NODE_POOL = false; // Data @@ -251,6 +259,8 @@ */ protected SecurityManager fSecureProcessing = null; + private String fAccessExternalSchema; + // These tables correspond to the symbol spaces defined in the // spec. // They are keyed with a QName (that is, String("URI,localpart) and @@ -2150,6 +2160,15 @@ fLastSchemaWasDuplicate = true; return schemaElement; } + if (referType == XSDDescription.CONTEXT_IMPORT || referType == XSDDescription.CONTEXT_INCLUDE + || referType == XSDDescription.CONTEXT_REDEFINE) { + String accessError = SecuritySupport.checkAccess(schemaId, fAccessExternalSchema, Constants.ACCESS_EXTERNAL_ALL); + if (accessError != null) { + reportSchemaFatalError("schema_reference.access", + new Object[] { SecuritySupport.sanitizePath(schemaId), accessError }, + referElement); + } + } } fSchemaParser.parse(schemaSource); @@ -3561,6 +3580,11 @@ } catch (XMLConfigurationException e) { } + //For Schema validation, the secure feature is set to true by default + fSchemaParser.setProperty(ACCESS_EXTERNAL_DTD, + componentManager.getProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT)); + fAccessExternalSchema = (String) componentManager.getProperty( + ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT); } // reset(XMLComponentManager)
--- a/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderFactoryImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderFactoryImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -37,7 +37,7 @@ /** * @author Rajiv Mordani * @author Edwin Goei - * @version $Id: DocumentBuilderFactoryImpl.java,v 1.6 2009/07/28 23:48:32 joehw Exp $ + * @version $Id: DocumentBuilderFactoryImpl.java,v 1.8 2010-11-01 04:40:06 joehw Exp $ */ public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory { /** These are DocumentBuilderFactory attributes not DOM attributes */ @@ -191,6 +191,9 @@ public void setFeature(String name, boolean value) throws ParserConfigurationException { + if (features == null) { + features = new Hashtable(); + } // If this is the secure processing feature, save it then return. if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) { if (System.getSecurityManager() != null && (!value)) { @@ -199,11 +202,10 @@ "jaxp-secureprocessing-feature", null)); } fSecureProcess = value; + features.put(name, value ? Boolean.TRUE : Boolean.FALSE); return; } - if (features == null) { - features = new Hashtable(); - } + features.put(name, value ? Boolean.TRUE : Boolean.FALSE); // Test the feature by possibly throwing SAX exceptions try {
--- a/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -27,6 +27,7 @@ import javax.xml.parsers.DocumentBuilder; import javax.xml.validation.Schema; +import javax.xml.XMLConstants; import com.sun.org.apache.xerces.internal.dom.DOMImplementationImpl; import com.sun.org.apache.xerces.internal.dom.DOMMessageFormatter; @@ -42,6 +43,7 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException; import com.sun.org.apache.xerces.internal.xni.parser.XMLDocumentSource; import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration; +import javax.xml.XMLConstants; import org.w3c.dom.DOMImplementation; import org.w3c.dom.Document; import org.xml.sax.EntityResolver; @@ -95,6 +97,12 @@ private static final String SECURITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; + /** property identifier: access external dtd. */ + public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** Property identifier: access to external schema */ + public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; + private final DOMParser domParser; private final Schema grammar; @@ -155,6 +163,23 @@ // If the secure processing feature is on set a security manager. if (secureProcessing) { domParser.setProperty(SECURITY_MANAGER, new SecurityManager()); + + /** + * By default, secure processing is set, no external access is allowed. + * However, we need to check if it is actively set on the factory since we + * allow the use of the System Property or jaxp.properties to override + * the default value + */ + if (features != null) { + Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING); + if (temp != null) { + boolean value = ((Boolean) temp).booleanValue(); + if (value) { + domParser.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + domParser.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + } + } + } } this.grammar = dbf.getSchema(); @@ -211,6 +236,10 @@ String feature = (String) entry.getKey(); boolean value = ((Boolean) entry.getValue()).booleanValue(); domParser.setFeature(feature, value); + if (feature.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) { + domParser.setProperty(ACCESS_EXTERNAL_DTD, ""); + domParser.setProperty(ACCESS_EXTERNAL_SCHEMA, ""); + } } } }
--- a/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserFactoryImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserFactoryImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -43,7 +43,7 @@ * @author Rajiv Mordani * @author Edwin Goei * - * @version $Id: SAXParserFactoryImpl.java,v 1.7 2009/07/28 23:48:32 joehw Exp $ + * @version $Id: SAXParserFactoryImpl.java,v 1.9 2010-11-01 04:40:06 joehw Exp $ */ public class SAXParserFactoryImpl extends SAXParserFactory { @@ -124,6 +124,7 @@ "jaxp-secureprocessing-feature", null)); } fSecureProcess = value; + putInFeatures(name, value); return; }
--- a/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -92,6 +92,12 @@ private static final String SECURITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; + /** property identifier: access external dtd. */ + public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** Property identifier: access to external schema */ + public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; + private final JAXPSAXParser xmlReader; private String schemaLanguage = null; // null means DTD private final Schema grammar; @@ -146,6 +152,22 @@ // If the secure processing feature is on set a security manager. if (secureProcessing) { xmlReader.setProperty0(SECURITY_MANAGER, new SecurityManager()); + /** + * By default, secure processing is set, no external access is allowed. + * However, we need to check if it is actively set on the factory since we + * allow the use of the System Property or jaxp.properties to override + * the default value + */ + if (features != null) { + Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING); + if (temp != null) { + boolean value = ((Boolean) temp).booleanValue(); + if (value) { + xmlReader.setProperty0(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + xmlReader.setProperty0(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + } + } + } } // Set application's features, followed by validation features. @@ -220,6 +242,10 @@ String feature = (String) entry.getKey(); boolean value = ((Boolean) entry.getValue()).booleanValue(); xmlReader.setFeature0(feature, value); + if (feature.equals(XMLConstants.FEATURE_SECURE_PROCESSING) && value) { + xmlReader.setProperty0(ACCESS_EXTERNAL_DTD, ""); + xmlReader.setProperty0(ACCESS_EXTERNAL_SCHEMA, ""); + } } } }
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/AbstractXMLSchema.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/AbstractXMLSchema.java Mon Jun 03 15:27:00 2013 +0200 @@ -41,8 +41,15 @@ */ private final HashMap fFeatures; + /** + * Map containing the initial values of properties for + * validators created using this grammar pool container. + */ + private final HashMap fProperties; + public AbstractXMLSchema() { fFeatures = new HashMap(); + fProperties = new HashMap(); } /* @@ -77,11 +84,26 @@ } /* - * Other methods + * Set a feature on the schema */ - - final void setFeature(String featureId, boolean state) { + public final void setFeature(String featureId, boolean state) { fFeatures.put(featureId, state ? Boolean.TRUE : Boolean.FALSE); } + /** + * Returns the initial value of a property for validators created + * using this grammar pool container or null if the validators + * should use the default value. + */ + public final Object getProperty(String propertyId) { + return fProperties.get(propertyId); + } + + /* + * Set a property on the schema + */ + public final void setProperty(String propertyId, Object state) { + fProperties.put(propertyId, state); + } + } // AbstractXMLSchema
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/JAXPValidationMessageFormatter.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/JAXPValidationMessageFormatter.java Mon Jun 03 15:27:00 2013 +0200 @@ -20,15 +20,16 @@ package com.sun.org.apache.xerces.internal.jaxp.validation; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.util.Locale; import java.util.MissingResourceException; import java.util.ResourceBundle; -import java.util.PropertyResourceBundle; /** * <p>Used to format JAXP Validation API error messages using a specified locale.</p> * * @author Michael Glavassevich, IBM + * @version $Id: JAXPValidationMessageFormatter.java,v 1.5 2010-11-01 04:40:08 joehw Exp $ */ final class JAXPValidationMessageFormatter { @@ -54,11 +55,11 @@ ResourceBundle resourceBundle = null; if (locale != null) { resourceBundle = - PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.JAXPValidationMessages", locale); + SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.JAXPValidationMessages", locale); } else { resourceBundle = - PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.JAXPValidationMessages"); + SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.JAXPValidationMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java Mon Jun 03 15:27:00 2013 +0200 @@ -32,6 +32,7 @@ import javax.xml.transform.TransformerConfigurationException; import javax.xml.transform.TransformerFactory; import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.XMLConstants; import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter; @@ -176,6 +177,8 @@ } config.setProperty(SYMBOL_TABLE, fComponentManager.getProperty(SYMBOL_TABLE)); config.setProperty(VALIDATION_MANAGER, fComponentManager.getProperty(VALIDATION_MANAGER)); + config.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, + fComponentManager.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD)); config.setDocumentHandler(fSchemaValidator); config.setDTDHandler(null); config.setDTDContentModelHandler(null);
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -675,6 +675,8 @@ spf.setNamespaceAware(true); try { reader = spf.newSAXParser().getXMLReader(); + reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, + fComponentManager.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD)); // If this is a Xerces SAX parser, set the security manager if there is one if (reader instanceof com.sun.org.apache.xerces.internal.parsers.SAXParser) { SecurityManager securityManager = (SecurityManager) fComponentManager.getProperty(SECURITY_MANAGER); @@ -685,6 +687,8 @@ // Ignore the exception if the security manager cannot be set. catch (SAXException exc) {} } + reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, + fComponentManager.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD)); } } catch( Exception e ) { // this is impossible, but better safe than sorry
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Mon Jun 03 15:27:00 2013 +0200 @@ -45,6 +45,7 @@ import com.sun.org.apache.xerces.internal.util.StAXInputSource; import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import com.sun.org.apache.xerces.internal.xni.XNIException; import com.sun.org.apache.xerces.internal.xni.grammars.Grammar; import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription; @@ -82,6 +83,12 @@ private static final String SECURITY_MANAGER = Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; + /** property identifier: access external dtd. */ + public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** Property identifier: access to external schema */ + public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; + // // Data // @@ -132,6 +139,14 @@ // Enable secure processing feature by default fSecurityManager = new SecurityManager(); fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager); + + //by default, the secure feature is set to true, otherwise the default would have been 'file' + String accessExternal = SecuritySupport.getDefaultAccessProperty( + Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT); + fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, accessExternal); + accessExternal = SecuritySupport.getDefaultAccessProperty( + Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT); + fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, accessExternal); } /** @@ -274,6 +289,7 @@ // Use a Schema that uses the system id as the equality source. AbstractXMLSchema schema = new WeakReferenceXMLSchema(); propagateFeatures(schema); + propagateProperties(schema); return schema; } @@ -350,6 +366,8 @@ } fSecurityManager = value ? new SecurityManager() : null; fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager); + fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); + fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP); return; } else if (name.equals(Constants.ORACLE_FEATURE_SERVICE_MECHANISM)) { //in secure mode, let _useServicesMechanism be determined by the constructor @@ -418,6 +436,15 @@ } } + private void propagateProperties(AbstractXMLSchema schema) { + String[] properties = fXMLSchemaLoader.getRecognizedProperties(); + for (int i = 0; i < properties.length; ++i) { + Object state = fXMLSchemaLoader.getProperty(properties[i]); + schema.setProperty(properties[i], state); + } + } + + /** * Extension of XMLGrammarPoolImpl which exposes the number of * grammars stored in the grammar pool.
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java Mon Jun 03 15:27:00 2013 +0200 @@ -123,6 +123,12 @@ private static final String LOCALE = Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY; + /** property identifier: access external dtd. */ + private static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** Property identifier: access to external schema */ + private static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; + // // Data // @@ -243,6 +249,9 @@ } fComponents.put(SECURITY_MANAGER, fInitSecurityManager); + //pass on properties set on SchemaFactory + setProperty(ACCESS_EXTERNAL_DTD, grammarContainer.getProperty(ACCESS_EXTERNAL_DTD)); + setProperty(ACCESS_EXTERNAL_SCHEMA, grammarContainer.getProperty(ACCESS_EXTERNAL_SCHEMA)); } /**
--- a/src/com/sun/org/apache/xerces/internal/jaxp/validation/XSGrammarPoolContainer.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/jaxp/validation/XSGrammarPoolContainer.java Mon Jun 03 15:27:00 2013 +0200 @@ -55,4 +55,21 @@ */ public Boolean getFeature(String featureId); + /* + * Set a feature on the schema + */ + public void setFeature(String featureId, boolean state); + + /** + * Returns the initial value of a property for validators created + * using this grammar pool container or null if the validators + * should use the default value. + */ + public Object getProperty(String propertyId); + + /* + * Set a property on the schema + */ + public void setProperty(String propertyId, Object state); + }
--- a/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java Mon Jun 03 15:27:00 2013 +0200 @@ -20,10 +20,13 @@ package com.sun.org.apache.xerces.internal.parsers; +import java.io.File; import java.io.IOException; import java.util.ArrayList; import java.util.HashMap; import java.util.Locale; +import java.util.Properties; +import javax.xml.XMLConstants; import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.impl.XML11DTDScannerImpl; @@ -52,6 +55,7 @@ import com.sun.org.apache.xerces.internal.util.PropertyState; import com.sun.org.apache.xerces.internal.util.Status; import com.sun.org.apache.xerces.internal.util.SymbolTable; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler; import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler; import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler; @@ -274,6 +278,12 @@ protected static final String SCHEMA_DV_FACTORY = Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY; + /** Property identifier: access to external dtd */ + protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** Property identifier: access to external schema */ + protected static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA; + // debugging /** Set to true and recompile to print exception stack trace. */ @@ -475,7 +485,8 @@ XMLSCHEMA_VALIDATION, XMLSCHEMA_FULL_CHECKING, EXTERNAL_GENERAL_ENTITIES, EXTERNAL_PARAMETER_ENTITIES, - PARSER_SETTINGS + PARSER_SETTINGS, + XMLConstants.FEATURE_SECURE_PROCESSING }; addRecognizedFeatures(recognizedFeatures); // set state for default features @@ -488,30 +499,31 @@ fFeatures.put(SCHEMA_ELEMENT_DEFAULT, Boolean.TRUE); fFeatures.put(NORMALIZE_DATA, Boolean.TRUE); fFeatures.put(SCHEMA_AUGMENT_PSVI, Boolean.TRUE); - fFeatures.put(GENERATE_SYNTHETIC_ANNOTATIONS, Boolean.FALSE); - fFeatures.put(VALIDATE_ANNOTATIONS, Boolean.FALSE); - fFeatures.put(HONOUR_ALL_SCHEMALOCATIONS, Boolean.FALSE); - fFeatures.put(NAMESPACE_GROWTH, Boolean.FALSE); - fFeatures.put(TOLERATE_DUPLICATES, Boolean.FALSE); - fFeatures.put(USE_GRAMMAR_POOL_ONLY, Boolean.FALSE); + fFeatures.put(GENERATE_SYNTHETIC_ANNOTATIONS, Boolean.FALSE); + fFeatures.put(VALIDATE_ANNOTATIONS, Boolean.FALSE); + fFeatures.put(HONOUR_ALL_SCHEMALOCATIONS, Boolean.FALSE); + fFeatures.put(NAMESPACE_GROWTH, Boolean.FALSE); + fFeatures.put(TOLERATE_DUPLICATES, Boolean.FALSE); + fFeatures.put(USE_GRAMMAR_POOL_ONLY, Boolean.FALSE); fFeatures.put(PARSER_SETTINGS, Boolean.TRUE); + fFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); // add default recognized properties final String[] recognizedProperties = { - SYMBOL_TABLE, - ERROR_HANDLER, - ENTITY_RESOLVER, + SYMBOL_TABLE, + ERROR_HANDLER, + ENTITY_RESOLVER, ERROR_REPORTER, ENTITY_MANAGER, DOCUMENT_SCANNER, DTD_SCANNER, DTD_PROCESSOR, DTD_VALIDATOR, - DATATYPE_VALIDATOR_FACTORY, - VALIDATION_MANAGER, - SCHEMA_VALIDATOR, - XML_STRING, + DATATYPE_VALIDATOR_FACTORY, + VALIDATION_MANAGER, + SCHEMA_VALIDATOR, + XML_STRING, XMLGRAMMAR_POOL, JAXP_SCHEMA_SOURCE, JAXP_SCHEMA_LANGUAGE, @@ -523,18 +535,20 @@ SCHEMA_NONS_LOCATION, LOCALE, SCHEMA_DV_FACTORY, + ACCESS_EXTERNAL_DTD, + ACCESS_EXTERNAL_SCHEMA }; addRecognizedProperties(recognizedProperties); - if (symbolTable == null) { - symbolTable = new SymbolTable(); - } - fSymbolTable = symbolTable; - fProperties.put(SYMBOL_TABLE, fSymbolTable); + if (symbolTable == null) { + symbolTable = new SymbolTable(); + } + fSymbolTable = symbolTable; + fProperties.put(SYMBOL_TABLE, fSymbolTable); fGrammarPool = grammarPool; if (fGrammarPool != null) { - fProperties.put(XMLGRAMMAR_POOL, fGrammarPool); + fProperties.put(XMLGRAMMAR_POOL, fGrammarPool); } fEntityManager = new XMLEntityManager(); @@ -570,6 +584,15 @@ fVersionDetector = new XMLVersionDetector(); + //FEATURE_SECURE_PROCESSING is true, see the feature above + String accessExternal = SecuritySupport.getDefaultAccessProperty( + Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT); + fProperties.put(ACCESS_EXTERNAL_DTD, accessExternal); + + accessExternal = SecuritySupport.getDefaultAccessProperty( + Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT); + fProperties.put(ACCESS_EXTERNAL_SCHEMA, accessExternal); + // add message formatters if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) { XMLMessageFormatter xmft = new XMLMessageFormatter();
--- a/src/com/sun/org/apache/xerces/internal/util/DatatypeMessageFormatter.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/util/DatatypeMessageFormatter.java Mon Jun 03 15:27:00 2013 +0200 @@ -20,15 +20,16 @@ package com.sun.org.apache.xerces.internal.util; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.util.Locale; import java.util.MissingResourceException; -import java.util.PropertyResourceBundle; import java.util.ResourceBundle; /** * <p>Used to format JAXP 1.3 Datatype API error messages using a specified locale.</p> * * @author Neeraj Bajaj, Sun Microsystems + * @version $Id: DatatypeMessageFormatter.java,v 1.6 2010-11-01 04:40:14 joehw Exp $ */ public class DatatypeMessageFormatter { @@ -56,11 +57,11 @@ ResourceBundle resourceBundle = null; if (locale != null) { resourceBundle = - PropertyResourceBundle.getBundle(BASE_NAME, locale); + SecuritySupport.getResourceBundle(BASE_NAME, locale); } else { resourceBundle = - PropertyResourceBundle.getBundle(BASE_NAME); + SecuritySupport.getResourceBundle(BASE_NAME); } // format message
--- a/src/com/sun/org/apache/xerces/internal/util/SAXMessageFormatter.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/util/SAXMessageFormatter.java Mon Jun 03 15:27:00 2013 +0200 @@ -19,16 +19,17 @@ */ package com.sun.org.apache.xerces.internal.util; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.util.Locale; import java.util.MissingResourceException; import java.util.ResourceBundle; -import java.util.PropertyResourceBundle; /** * Used to format SAX error messages using a specified locale. * * @author Michael Glavassevich, IBM * + * @version $Id: SAXMessageFormatter.java,v 1.6 2010-11-01 04:40:14 joehw Exp $ */ public class SAXMessageFormatter { @@ -54,11 +55,11 @@ ResourceBundle resourceBundle = null; if (locale != null) { resourceBundle = - PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.SAXMessages", locale); + SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.SAXMessages", locale); } else { resourceBundle = - PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.SAXMessages"); + SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.SAXMessages"); } // format message
--- a/src/com/sun/org/apache/xerces/internal/util/SecurityManager.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/util/SecurityManager.java Mon Jun 03 15:27:00 2013 +0200 @@ -61,6 +61,8 @@ package com.sun.org.apache.xerces.internal.util; import com.sun.org.apache.xerces.internal.impl.Constants; +import java.security.AccessController; +import java.security.PrivilegedAction; /** * This class is a container for parser settings that relate to * security, or more specifically, it is intended to be used to prevent denial-of-service @@ -77,6 +79,7 @@ * * @author Neil Graham, IBM * + * @version $Id: SecurityManager.java,v 1.5 2010-11-01 04:40:14 joehw Exp $ */ public final class SecurityManager { @@ -176,41 +179,48 @@ private void readSystemProperties(){ - //TODO: also read SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT - try { - String value = System.getProperty(Constants.ENTITY_EXPANSION_LIMIT); - if(value != null && !value.equals("")){ - entityExpansionLimit = Integer.parseInt(value); - if (entityExpansionLimit < 0) - entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT; - } - else - entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT; - }catch(Exception ex){} + //TODO: also read SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT + try { + String value = getSystemProperty(Constants.ENTITY_EXPANSION_LIMIT); + if(value != null && !value.equals("")){ + entityExpansionLimit = Integer.parseInt(value); + if (entityExpansionLimit < 0) + entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT; + } + else + entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT; + }catch(Exception ex){} - try { - String value = System.getProperty(Constants.MAX_OCCUR_LIMIT); - if(value != null && !value.equals("")){ - maxOccurLimit = Integer.parseInt(value); - if (maxOccurLimit < 0) - maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT; - } - else - maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT; - }catch(Exception ex){} + try { + String value = getSystemProperty(Constants.MAX_OCCUR_LIMIT); + if(value != null && !value.equals("")){ + maxOccurLimit = Integer.parseInt(value); + if (maxOccurLimit < 0) + maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT; + } + else + maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT; + }catch(Exception ex){} - try { - String value = System.getProperty(Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT); - if(value != null && !value.equals("")){ - fElementAttributeLimit = Integer.parseInt(value); - if ( fElementAttributeLimit < 0) - fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT; - } - else - fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT; + try { + String value = getSystemProperty(Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT); + if(value != null && !value.equals("")){ + fElementAttributeLimit = Integer.parseInt(value); + if ( fElementAttributeLimit < 0) + fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT; + } + else + fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT; }catch(Exception ex){} } + private String getSystemProperty(final String propName) { + return AccessController.doPrivileged(new PrivilegedAction<String>() { + public String run() { + return System.getProperty(propName); + } + }); + } } // class SecurityManager
--- a/src/com/sun/org/apache/xerces/internal/utils/ObjectFactory.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/utils/ObjectFactory.java Mon Jun 03 15:27:00 2013 +0200 @@ -48,6 +48,7 @@ // // Constants // + private static final String DEFAULT_INTERNAL_CLASSES = "com.sun.org.apache."; // name of default properties file to look for in JDK's jre/lib directory private static final String DEFAULT_PROPERTIES_FILENAME = "xerces.properties"; @@ -305,10 +306,14 @@ //restrict the access to package as speicified in java.security policy SecurityManager security = System.getSecurityManager(); if (security != null) { - final int lastDot = className.lastIndexOf("."); - String packageName = className; - if (lastDot != -1) packageName = className.substring(0, lastDot); - security.checkPackageAccess(packageName); + if (className.startsWith(DEFAULT_INTERNAL_CLASSES)) { + cl = null; + } else { + final int lastDot = className.lastIndexOf("."); + String packageName = className; + if (lastDot != -1) packageName = className.substring(0, lastDot); + security.checkPackageAccess(packageName); + } } Class providerClass; if (cl == null) {
--- a/src/com/sun/org/apache/xerces/internal/utils/SecuritySupport.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/utils/SecuritySupport.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,12 +23,18 @@ import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; +import java.io.IOException; import java.io.InputStream; - +import java.net.URL; import java.security.AccessController; import java.security.PrivilegedAction; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; +import java.util.Locale; +import java.util.MissingResourceException; +import java.util.Properties; +import java.util.PropertyResourceBundle; +import java.util.ResourceBundle; /** * This class is duplicated for each subpackage so keep it in sync. @@ -141,6 +147,38 @@ }); } + /** + * Gets a resource bundle using the specified base name, the default locale, and the caller's class loader. + * @param bundle the base name of the resource bundle, a fully qualified class name + * @return a resource bundle for the given base name and the default locale + */ + public static ResourceBundle getResourceBundle(String bundle) { + return getResourceBundle(bundle, Locale.getDefault()); + } + + /** + * Gets a resource bundle using the specified base name and locale, and the caller's class loader. + * @param bundle the base name of the resource bundle, a fully qualified class name + * @param locale the locale for which a resource bundle is desired + * @return a resource bundle for the given base name and locale + */ + public static ResourceBundle getResourceBundle(final String bundle, final Locale locale) { + return AccessController.doPrivileged(new PrivilegedAction<ResourceBundle>() { + public ResourceBundle run() { + try { + return PropertyResourceBundle.getBundle(bundle, locale); + } catch (MissingResourceException e) { + try { + return PropertyResourceBundle.getBundle(bundle, new Locale("en", "US")); + } catch (MissingResourceException e2) { + throw new MissingResourceException( + "Could not load any resource bundle by " + bundle, bundle, ""); + } + } + } + }); + } + static boolean getFileExists(final File f) { return ((Boolean) AccessController.doPrivileged(new PrivilegedAction() { @@ -159,5 +197,141 @@ })).longValue(); } + /** + * Strip off path from an URI + * + * @param uri an URI with full path + * @return the file name only + */ + public static String sanitizePath(String uri) { + if (uri == null) { + return ""; + } + int i = uri.lastIndexOf("/"); + if (i > 0) { + return uri.substring(i+1, uri.length()); + } + return ""; + } + + /** + * Check the protocol used in the systemId against allowed protocols + * + * @param systemId the Id of the URI + * @param allowedProtocols a list of allowed protocols separated by comma + * @param accessAny keyword to indicate allowing any protocol + * @return the name of the protocol if rejected, null otherwise + */ + public static String checkAccess(String systemId, String allowedProtocols, String accessAny) throws IOException { + if (systemId == null || allowedProtocols.equalsIgnoreCase(accessAny)) { + return null; + } + + String protocol; + if (systemId.indexOf(":")==-1) { + protocol = "file"; + } else { + URL url = new URL(systemId); + protocol = url.getProtocol(); + if (protocol.equalsIgnoreCase("jar")) { + String path = url.getPath(); + protocol = path.substring(0, path.indexOf(":")); + } + } + + if (isProtocolAllowed(protocol, allowedProtocols)) { + //access allowed + return null; + } else { + return protocol; + } + } + + /** + * Check if the protocol is in the allowed list of protocols. The check + * is case-insensitive while ignoring whitespaces. + * + * @param protocol a protocol + * @param allowedProtocols a list of allowed protocols + * @return true if the protocol is in the list + */ + private static boolean isProtocolAllowed(String protocol, String allowedProtocols) { + String temp[] = allowedProtocols.split(","); + for (String t : temp) { + t = t.trim(); + if (t.equalsIgnoreCase(protocol)) { + return true; + } + } + return false; + } + + /** + * Read from $java.home/lib/jaxp.properties for the specified property + * + * @param propertyId the Id of the property + * @return the value of the property + */ + public static String getDefaultAccessProperty(String sysPropertyId, String defaultVal) { + String accessExternal = SecuritySupport.getSystemProperty(sysPropertyId); + if (accessExternal == null) { + accessExternal = readJAXPProperty(sysPropertyId); + if (accessExternal == null) { + accessExternal = defaultVal; + } + } + return accessExternal; + } + + /** + * Read from $java.home/lib/jaxp.properties for the specified property + * The program + * + * @param propertyId the Id of the property + * @return the value of the property + */ + static String readJAXPProperty(String propertyId) { + String value = null; + InputStream is = null; + try { + if (firstTime) { + synchronized (cacheProps) { + if (firstTime) { + String configFile = getSystemProperty("java.home") + File.separator + + "lib" + File.separator + "jaxp.properties"; + File f = new File(configFile); + if (getFileExists(f)) { + is = getFileInputStream(f); + cacheProps.load(is); + } + firstTime = false; + } + } + } + value = cacheProps.getProperty(propertyId); + + } + catch (Exception ex) {} + finally { + if (is != null) { + try { + is.close(); + } catch (IOException ex) {} + } + } + + return value; + } + + /** + * Cache for properties in java.home/lib/jaxp.properties + */ + static final Properties cacheProps = new Properties(); + + /** + * Flag indicating if the program has tried reading java.home/lib/jaxp.properties + */ + static volatile boolean firstTime = true; + private SecuritySupport () {} }
--- a/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java Mon Jun 03 15:27:00 2013 +0200 @@ -26,6 +26,7 @@ import java.util.Locale; import java.util.Stack; import java.util.StringTokenizer; +import javax.xml.XMLConstants; import com.sun.org.apache.xerces.internal.impl.Constants; import com.sun.org.apache.xerces.internal.impl.XMLEntityManager; @@ -229,6 +230,14 @@ protected static final String PARSER_SETTINGS = Constants.XERCES_FEATURE_PREFIX + Constants.PARSER_SETTINGS; + /** property identifier: access external dtd. */ + protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD; + + /** access external dtd: file protocol + * For DOM/SAX, the secure feature is set to true by default + */ + final static String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT; + /** Recognized features. */ private static final String[] RECOGNIZED_FEATURES = { ALLOW_UE_AND_NOTATION_EVENTS, XINCLUDE_FIXUP_BASE_URIS, XINCLUDE_FIXUP_LANGUAGE }; @@ -283,6 +292,12 @@ protected XMLErrorReporter fErrorReporter; protected XMLEntityResolver fEntityResolver; protected SecurityManager fSecurityManager; + /** + * comma-delimited list of protocols that are allowed for the purpose + * of accessing external dtd or entity references + */ + protected String fAccessExternalDTD = EXTERNAL_ACCESS_DEFAULT; + // these are needed for text include processing protected XIncludeTextReader fXInclude10TextReader; @@ -523,6 +538,8 @@ fSecurityManager = null; } + fAccessExternalDTD = (String)componentManager.getProperty(ACCESS_EXTERNAL_DTD); + // Get buffer size. try { Integer value = @@ -664,6 +681,14 @@ } return; } + if (propertyId.equals(ACCESS_EXTERNAL_DTD)) { + fAccessExternalDTD = (String)value; + if (fChildConfig != null) { + fChildConfig.setProperty(propertyId, value); + } + return; + } + if (propertyId.equals(BUFFER_SIZE)) { Integer bufferSize = (Integer) value; if (fChildConfig != null) { @@ -1578,6 +1603,7 @@ if (fErrorReporter != null) fChildConfig.setProperty(ERROR_REPORTER, fErrorReporter); if (fEntityResolver != null) fChildConfig.setProperty(ENTITY_RESOLVER, fEntityResolver); fChildConfig.setProperty(SECURITY_MANAGER, fSecurityManager); + fChildConfig.setProperty(ACCESS_EXTERNAL_DTD, fAccessExternalDTD); fChildConfig.setProperty(BUFFER_SIZE, new Integer(fBufferSize)); // features must be copied to child configuration @@ -1691,7 +1717,7 @@ if (fErrorReporter != null) { fErrorReporter.setDocumentLocator(fDocLocation); } - reportFatalError("XMLParseError", new Object[] { href }); + reportFatalError("XMLParseError", new Object[] { href, e.getMessage() }); } catch (IOException e) { // necessary to make sure proper location is reported in errors
--- a/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeMessageFormatter.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeMessageFormatter.java Mon Jun 03 15:27:00 2013 +0200 @@ -20,11 +20,11 @@ package com.sun.org.apache.xerces.internal.xinclude; +import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.util.Locale; import java.util.MissingResourceException; import java.util.ResourceBundle; -import java.util.PropertyResourceBundle; -import com.sun.org.apache.xerces.internal.util.MessageFormatter; // TODO: fix error messages in XIncludeMessages.properties /** @@ -32,6 +32,7 @@ * * @author Peter McCracken, IBM * + * @version $Id: XIncludeMessageFormatter.java,v 1.7 2010-11-01 04:40:18 joehw Exp $ */ public class XIncludeMessageFormatter implements MessageFormatter { @@ -61,12 +62,12 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XIncludeMessages", locale); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XIncludeMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle.getBundle("com.sun.org.apache.xerces.internal.impl.msg.XIncludeMessages"); + fResourceBundle = SecuritySupport.getResourceBundle("com.sun.org.apache.xerces.internal.impl.msg.XIncludeMessages"); } String msg = fResourceBundle.getString(key);
--- a/src/com/sun/org/apache/xerces/internal/xpointer/XPointerMessageFormatter.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xerces/internal/xpointer/XPointerMessageFormatter.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,6 +24,7 @@ import java.util.ResourceBundle; import java.util.PropertyResourceBundle; import com.sun.org.apache.xerces.internal.util.MessageFormatter; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; /** * XPointerMessageFormatter provides error messages for the XPointer Framework @@ -31,6 +32,7 @@ * * @xerces.internal * + * @version $Id: XPointerMessageFormatter.java,v 1.5 2010-11-01 04:40:26 joehw Exp $ */ class XPointerMessageFormatter implements MessageFormatter { @@ -64,14 +66,14 @@ if (fResourceBundle == null || locale != fLocale) { if (locale != null) { - fResourceBundle = PropertyResourceBundle.getBundle( + fResourceBundle = SecuritySupport.getResourceBundle( "com.sun.org.apache.xerces.internal.impl.msg.XPointerMessages", locale); // memorize the most-recent locale fLocale = locale; } if (fResourceBundle == null) - fResourceBundle = PropertyResourceBundle - .getBundle("com.sun.org.apache.xerces.internal.impl.msg.XPointerMessages"); + fResourceBundle = SecuritySupport.getResourceBundle( + "com.sun.org.apache.xerces.internal.impl.msg.XPointerMessages"); } String msg = fResourceBundle.getString(key);
--- a/src/com/sun/org/apache/xml/internal/dtm/DTMManager.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/dtm/DTMManager.java Mon Jun 03 15:27:00 2013 +0200 @@ -27,6 +27,7 @@ import com.sun.org.apache.xml.internal.utils.PrefixResolver; import com.sun.org.apache.xml.internal.utils.XMLStringFactory; import com.sun.org.apache.xalan.internal.utils.ObjectFactory; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; /** * A DTMManager instance can be used to create DTM and @@ -383,7 +384,7 @@ { try { - debug = System.getProperty("dtm.debug") != null; + debug = SecuritySupport.getSystemProperty("dtm.debug") != null; } catch (SecurityException ex){} }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -453,67 +450,4 @@ return contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_ca.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_ca.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -443,67 +440,4 @@ return _contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("ca", "ES")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_cs.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_cs.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -443,67 +440,4 @@ return _contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("cs", "CZ")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_de.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_de.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -453,67 +450,4 @@ return _contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_es.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_es.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -453,67 +450,4 @@ return _contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_fr.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_fr.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -453,67 +450,4 @@ return _contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_it.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_it.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -453,67 +450,4 @@ return _contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_ja.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_ja.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -453,67 +450,4 @@ return _contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_ko.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_ko.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -453,67 +450,4 @@ return _contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_pt_BR.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_pt_BR.java Mon Jun 03 15:27:00 2013 +0200 @@ -25,9 +25,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -463,67 +460,4 @@ return msgCopy; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_sk.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_sk.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -443,67 +440,4 @@ return _contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_sv.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_sv.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -452,68 +449,4 @@ protected Object[][] getContents() { return _contents; } - - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_tr.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_tr.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -443,67 +440,4 @@ return _contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("tr", "TR")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_zh_CN.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_zh_CN.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -453,67 +450,4 @@ return _contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_zh_TW.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLErrorResources_zh_TW.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -453,67 +450,4 @@ return _contents; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XMLErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XMLErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XMLErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xml/internal/res/XMLMessages.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/res/XMLMessages.java Mon Jun 03 15:27:00 2013 +0200 @@ -22,10 +22,9 @@ */ package com.sun.org.apache.xml.internal.res; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.util.ListResourceBundle; import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * A utility class for issuing XML error messages. @@ -82,8 +81,9 @@ */ public static final String createXMLMessage(String msgKey, Object args[]) { - if (XMLBundle == null) - XMLBundle = loadResourceBundle(XML_ERROR_RESOURCES); + if (XMLBundle == null) { + XMLBundle = SecuritySupport.getResourceBundle(XML_ERROR_RESOURCES); + } if (XMLBundle != null) { @@ -156,61 +156,4 @@ return fmsg; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className The class name of the resource bundle. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static ListResourceBundle loadResourceBundle(String className) - throws MissingResourceException - { - Locale locale = Locale.getDefault(); - - try - { - return (ListResourceBundle)ResourceBundle.getBundle(className, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (ListResourceBundle)ResourceBundle.getBundle( - className, new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles." + className, className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which can be appended to a resource name - */ - protected static String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } }
--- a/src/com/sun/org/apache/xml/internal/resolver/Catalog.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/resolver/Catalog.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,6 +24,7 @@ package com.sun.org.apache.xml.internal.resolver; import com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.io.IOException; import java.io.FileNotFoundException; import java.io.InputStream; @@ -821,7 +822,7 @@ // tack on a basename because URLs point to files not dirs catalogCwd = FileURL.makeURL("basename"); } catch (MalformedURLException e) { - String userdir = System.getProperty("user.dir"); + String userdir = SecuritySupport.getSystemProperty("user.dir"); userdir.replace('\\', '/'); catalogManager.debug.message(1, "Malformed URL on cwd", userdir); catalogCwd = null; @@ -1717,7 +1718,7 @@ protected String resolveLocalSystem(String systemId) throws MalformedURLException, IOException { - String osname = System.getProperty("os.name"); + String osname = SecuritySupport.getSystemProperty("os.name"); boolean windows = (osname.indexOf("Windows") >= 0); Enumeration en = catalogEntries.elements(); while (en.hasMoreElements()) {
--- a/src/com/sun/org/apache/xml/internal/resolver/CatalogManager.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/resolver/CatalogManager.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,6 +23,7 @@ package com.sun.org.apache.xml.internal.resolver; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.io.InputStream; import java.net.URL; @@ -142,8 +143,8 @@ /** Flag to ignore missing property files and/or properties */ private boolean ignoreMissingProperties - = (System.getProperty(pIgnoreMissing) != null - || System.getProperty(pFiles) != null); + = (SecuritySupport.getSystemProperty(pIgnoreMissing) != null + || SecuritySupport.getSystemProperty(pFiles) != null); /** Holds the resources after they are loaded from the file. */ private ResourceBundle resources; @@ -338,7 +339,7 @@ private int queryVerbosity () { String defaultVerbStr = Integer.toString(defaultVerbosity); - String verbStr = System.getProperty(pVerbosity); + String verbStr = SecuritySupport.getSystemProperty(pVerbosity); if (verbStr == null) { if (resources==null) readProperties(); @@ -473,7 +474,7 @@ * @return A semicolon delimited list of catlog file URIs */ private String queryCatalogFiles () { - String catalogList = System.getProperty(pFiles); + String catalogList = SecuritySupport.getSystemProperty(pFiles); fromPropertiesFile = false; if (catalogList == null) { @@ -558,7 +559,7 @@ * defaultPreferSetting. */ private boolean queryPreferPublic () { - String prefer = System.getProperty(pPrefer); + String prefer = SecuritySupport.getSystemProperty(pPrefer); if (prefer == null) { if (resources==null) readProperties(); @@ -617,7 +618,7 @@ * defaultUseStaticCatalog. */ private boolean queryUseStaticCatalog () { - String staticCatalog = System.getProperty(pStatic); + String staticCatalog = SecuritySupport.getSystemProperty(pStatic); if (staticCatalog == null) { if (resources==null) readProperties(); @@ -748,7 +749,7 @@ * defaultOasisXMLCatalogPI. */ public boolean queryAllowOasisXMLCatalogPI () { - String allow = System.getProperty(pAllowPI); + String allow = SecuritySupport.getSystemProperty(pAllowPI); if (allow == null) { if (resources==null) readProperties(); @@ -804,7 +805,7 @@ * */ public String queryCatalogClassName () { - String className = System.getProperty(pClassname); + String className = SecuritySupport.getSystemProperty(pClassname); if (className == null) { if (resources==null) readProperties();
--- a/src/com/sun/org/apache/xml/internal/resolver/Resolver.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/resolver/Resolver.java Mon Jun 03 15:27:00 2013 +0200 @@ -33,6 +33,7 @@ import java.net.MalformedURLException; import javax.xml.parsers.SAXParserFactory; import com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import com.sun.org.apache.xml.internal.resolver.readers.SAXCatalogReader; import com.sun.org.apache.xml.internal.resolver.readers.OASISXMLCatalogReader; import com.sun.org.apache.xml.internal.resolver.readers.TR9401CatalogReader; @@ -524,7 +525,7 @@ */ private Vector resolveAllLocalSystem(String systemId) { Vector map = new Vector(); - String osname = System.getProperty("os.name"); + String osname = SecuritySupport.getSystemProperty("os.name"); boolean windows = (osname.indexOf("Windows") >= 0); Enumeration en = catalogEntries.elements(); while (en.hasMoreElements()) { @@ -552,7 +553,7 @@ */ private Vector resolveLocalSystemReverse(String systemId) { Vector map = new Vector(); - String osname = System.getProperty("os.name"); + String osname = SecuritySupport.getSystemProperty("os.name"); boolean windows = (osname.indexOf("Windows") >= 0); Enumeration en = catalogEntries.elements(); while (en.hasMoreElements()) {
--- a/src/com/sun/org/apache/xml/internal/serialize/SerializerFactory.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/serialize/SerializerFactory.java Mon Jun 03 15:27:00 2013 +0200 @@ -22,6 +22,7 @@ package com.sun.org.apache.xml.internal.serialize; import com.sun.org.apache.xerces.internal.utils.ObjectFactory; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.io.OutputStream; import java.io.Writer; import java.io.UnsupportedEncodingException; @@ -64,7 +65,7 @@ factory = new SerializerFactoryImpl( Method.TEXT ); registerSerializerFactory( factory ); - list = System.getProperty( FactoriesProperty ); + list = SecuritySupport.getSystemProperty( FactoriesProperty ); if ( list != null ) { token = new StringTokenizer( list, " ;,:" ); while ( token.hasMoreTokens() ) {
--- a/src/com/sun/org/apache/xml/internal/serializer/Encodings.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/serializer/Encodings.java Mon Jun 03 15:27:00 2013 +0200 @@ -219,7 +219,7 @@ // Get the default system character encoding. This may be // incorrect if they passed in a writer, but right now there // seems to be no way to get the encoding from a writer. - encoding = System.getProperty("file.encoding", "UTF8"); + encoding = SecuritySupport.getSystemProperty("file.encoding", "UTF8"); if (null != encoding) { @@ -313,7 +313,7 @@ try { - urlString = System.getProperty(ENCODINGS_PROP, ""); + urlString = SecuritySupport.getSystemProperty(ENCODINGS_PROP, ""); } catch (SecurityException e) {
--- a/src/com/sun/org/apache/xml/internal/serializer/OutputPropertiesFactory.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/serializer/OutputPropertiesFactory.java Mon Jun 03 15:27:00 2013 +0200 @@ -22,6 +22,7 @@ */ package com.sun.org.apache.xml.internal.serializer; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.io.BufferedInputStream; import java.io.IOException; import java.io.InputStream; @@ -471,7 +472,7 @@ String value = null; try { - value = System.getProperty(key); + value = SecuritySupport.getSystemProperty(key); } catch (SecurityException se) { @@ -484,7 +485,7 @@ String newValue = null; try { - newValue = System.getProperty(newKey); + newValue = SecuritySupport.getSystemProperty(newKey); } catch (SecurityException se) {
--- a/src/com/sun/org/apache/xml/internal/serializer/ToStream.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/serializer/ToStream.java Mon Jun 03 15:27:00 2013 +0200 @@ -22,6 +22,7 @@ */ package com.sun.org.apache.xml.internal.serializer; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.io.IOException; import java.io.OutputStream; import java.io.UnsupportedEncodingException; @@ -140,7 +141,7 @@ * extension attribute xalan:line-separator. */ protected char[] m_lineSep = - System.getProperty("line.separator").toCharArray(); + SecuritySupport.getSystemProperty("line.separator").toCharArray(); /** * True if the the system line separator is to be used.
--- a/src/com/sun/org/apache/xml/internal/serializer/TreeWalker.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/serializer/TreeWalker.java Mon Jun 03 15:27:00 2013 +0200 @@ -22,6 +22,7 @@ */ package com.sun.org.apache.xml.internal.serializer; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.io.File; import com.sun.org.apache.xml.internal.serializer.utils.AttList; @@ -104,7 +105,7 @@ else { try { // Bug see Bugzilla 26741 - m_locator.setSystemId(System.getProperty("user.dir") + File.separator + "dummy.xsl"); + m_locator.setSystemId(SecuritySupport.getSystemProperty("user.dir") + File.separator + "dummy.xsl"); } catch (SecurityException se) {// user.dir not accessible from applet } @@ -115,7 +116,7 @@ m_contentHandler.setDocumentLocator(m_locator); try { // Bug see Bugzilla 26741 - m_locator.setSystemId(System.getProperty("user.dir") + File.separator + "dummy.xsl"); + m_locator.setSystemId(SecuritySupport.getSystemProperty("user.dir") + File.separator + "dummy.xsl"); } catch (SecurityException se){// user.dir not accessible from applet
--- a/src/com/sun/org/apache/xml/internal/serializer/utils/Messages.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/serializer/utils/Messages.java Mon Jun 03 15:27:00 2013 +0200 @@ -22,6 +22,7 @@ */ package com.sun.org.apache.xml.internal.serializer.utils; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.util.ListResourceBundle; import java.util.Locale; import java.util.MissingResourceException; @@ -87,9 +88,6 @@ * can have the Message strings translated in an alternate language * in a errorResourceClass with a language suffix. * - * More sophisticated use of this class would be to pass null - * when contructing it, but then call loadResourceBundle() - * before creating any messages. * * This class is not a public API, it is only public because it is * used in com.sun.org.apache.xml.internal.serializer. @@ -126,18 +124,6 @@ m_resourceBundleName = resourceBundle; } - /* - * Set the Locale object to use. If this method is not called the - * default locale is used. This method needs to be called before - * loadResourceBundle(). - * - * @param locale non-null reference to Locale object. - * @xsl.usage internal - */ -// public void setLocale(Locale locale) -// { -// m_locale = locale; -// } /** * Get the Locale object that is being used. @@ -151,16 +137,6 @@ } /** - * Get the ListResourceBundle being used by this Messages instance which was - * previously set by a call to loadResourceBundle(className) - * @xsl.usage internal - */ - private ListResourceBundle getResourceBundle() - { - return m_resourceBundle; - } - - /** * Creates a message from the specified key and replacement * arguments, localized to the given locale. * @@ -174,7 +150,7 @@ public final String createMessage(String msgKey, Object args[]) { if (m_resourceBundle == null) - m_resourceBundle = loadResourceBundle(m_resourceBundleName); + m_resourceBundle = SecuritySupport.getResourceBundle(m_resourceBundleName); if (m_resourceBundle != null) { @@ -293,76 +269,4 @@ return fmsg; } - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className the name of the class that implements ListResourceBundle, - * without language suffix. - * @return the ResourceBundle - * @throws MissingResourceException - * @xsl.usage internal - */ - private ListResourceBundle loadResourceBundle(String resourceBundle) - throws MissingResourceException - { - m_resourceBundleName = resourceBundle; - Locale locale = getLocale(); - - ListResourceBundle lrb; - - try - { - - ResourceBundle rb = - ResourceBundle.getBundle(m_resourceBundleName, locale); - lrb = (ListResourceBundle) rb; - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - lrb = - (ListResourceBundle) ResourceBundle.getBundle( - m_resourceBundleName, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles." + m_resourceBundleName, - m_resourceBundleName, - ""); - } - } - m_resourceBundle = lrb; - return lrb; - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which can be appended to a resource name - * @xsl.usage internal - */ - private static String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } }
--- a/src/com/sun/org/apache/xml/internal/utils/TreeWalker.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/utils/TreeWalker.java Mon Jun 03 15:27:00 2013 +0200 @@ -22,6 +22,7 @@ */ package com.sun.org.apache.xml.internal.utils; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.io.File; import org.w3c.dom.Comment; @@ -93,7 +94,7 @@ else { try { // Bug see Bugzilla 26741 - m_locator.setSystemId(System.getProperty("user.dir") + File.separator + "dummy.xsl"); + m_locator.setSystemId(SecuritySupport.getSystemProperty("user.dir") + File.separator + "dummy.xsl"); } catch (SecurityException se) {// user.dir not accessible from applet } @@ -112,7 +113,7 @@ m_contentHandler.setDocumentLocator(m_locator); try { // Bug see Bugzilla 26741 - m_locator.setSystemId(System.getProperty("user.dir") + File.separator + "dummy.xsl"); + m_locator.setSystemId(SecuritySupport.getSystemProperty("user.dir") + File.separator + "dummy.xsl"); } catch (SecurityException se){// user.dir not accessible from applet } @@ -131,7 +132,7 @@ m_contentHandler.setDocumentLocator(m_locator); try { // Bug see Bugzilla 26741 - m_locator.setSystemId(System.getProperty("user.dir") + File.separator + "dummy.xsl"); + m_locator.setSystemId(SecuritySupport.getSystemProperty("user.dir") + File.separator + "dummy.xsl"); } catch (SecurityException se){// user.dir not accessible from applet
--- a/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java Mon Jun 03 15:27:00 2013 +0200 @@ -22,17 +22,17 @@ */ package com.sun.org.apache.xml.internal.utils; -import com.sun.org.apache.xalan.internal.utils.SecuritySupport; +import com.sun.org.apache.xalan.internal.XalanConstants; import com.sun.org.apache.xalan.internal.utils.FactoryImpl; +import com.sun.org.apache.xalan.internal.utils.SecuritySupport; import java.util.HashMap; - +import javax.xml.XMLConstants; import javax.xml.parsers.FactoryConfigurationError; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParserFactory; - +import org.xml.sax.SAXException; import org.xml.sax.XMLReader; import org.xml.sax.helpers.XMLReaderFactory; -import org.xml.sax.SAXException; /** * Creates XMLReader objects and caches them for re-use. @@ -63,6 +63,11 @@ private HashMap m_inUse; private boolean m_useServicesMechanism = true; + /** + * protocols allowed for external DTD references in source file and/or stylesheet. + */ + private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT; + /** * Hidden constructor */ @@ -131,6 +136,7 @@ try { reader.setFeature(NAMESPACES_FEATURE, true); reader.setFeature(NAMESPACE_PREFIXES_FEATURE, false); + reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD); } catch (SAXException se) { // Try to carry on if we've got a parser that // doesn't know about namespace prefixes. @@ -181,4 +187,22 @@ m_useServicesMechanism = flag; } + /** + * Get property value + */ + public String getProperty(String name) { + if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) { + return _accessExternalDTD; + } + return null; + } + + /** + * Set property. + */ + public void setProperty(String name, String value) { + if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) { + _accessExternalDTD = (String)value; + } + } }
--- a/src/com/sun/org/apache/xml/internal/utils/res/XResourceBundle.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xml/internal/utils/res/XResourceBundle.java Mon Jun 03 15:27:00 2013 +0200 @@ -22,6 +22,8 @@ */ package com.sun.org.apache.xml.internal.utils.res; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.ListResourceBundle; import java.util.Locale; import java.util.MissingResourceException; @@ -29,114 +31,45 @@ /** * The default (english) resource bundle. + * * @xsl.usage internal */ -public class XResourceBundle extends ListResourceBundle -{ - - /** Error resource constants */ - public static final String ERROR_RESOURCES = - "com.sun.org.apache.xalan.internal.res.XSLTErrorResources", XSLT_RESOURCE = - "com.sun.org.apache.xml.internal.utils.res.XResourceBundle", LANG_BUNDLE_NAME = - "com.sun.org.apache.xml.internal.utils.res.XResources", MULT_ORDER = - "multiplierOrder", MULT_PRECEDES = "precedes", MULT_FOLLOWS = - "follows", LANG_ORIENTATION = "orientation", LANG_RIGHTTOLEFT = - "rightToLeft", LANG_LEFTTORIGHT = "leftToRight", LANG_NUMBERING = - "numbering", LANG_ADDITIVE = "additive", LANG_MULT_ADD = - "multiplicative-additive", LANG_MULTIPLIER = - "multiplier", LANG_MULTIPLIER_CHAR = - "multiplierChar", LANG_NUMBERGROUPS = "numberGroups", LANG_NUM_TABLES = - "tables", LANG_ALPHABET = "alphabet", LANG_TRAD_ALPHABET = "tradAlphabet"; +public class XResourceBundle extends ListResourceBundle { - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className Name of local-specific subclass. - * @param locale the locale to prefer when searching for the bundle - */ - public static final XResourceBundle loadResourceBundle( - String className, Locale locale) throws MissingResourceException - { - - String suffix = getResourceSuffix(locale); - - //System.out.println("resource " + className + suffix); - try - { + /** + * Error resource constants + */ + public static final String ERROR_RESOURCES = + "com.sun.org.apache.xalan.internal.res.XSLTErrorResources", XSLT_RESOURCE = + "com.sun.org.apache.xml.internal.utils.res.XResourceBundle", LANG_BUNDLE_NAME = + "com.sun.org.apache.xml.internal.utils.res.XResources", MULT_ORDER = + "multiplierOrder", MULT_PRECEDES = "precedes", MULT_FOLLOWS = + "follows", LANG_ORIENTATION = "orientation", LANG_RIGHTTOLEFT = + "rightToLeft", LANG_LEFTTORIGHT = "leftToRight", LANG_NUMBERING = + "numbering", LANG_ADDITIVE = "additive", LANG_MULT_ADD = + "multiplicative-additive", LANG_MULTIPLIER = + "multiplier", LANG_MULTIPLIER_CHAR = + "multiplierChar", LANG_NUMBERGROUPS = "numberGroups", LANG_NUM_TABLES = + "tables", LANG_ALPHABET = "alphabet", LANG_TRAD_ALPHABET = "tradAlphabet"; - // first try with the given locale - String resourceName = className + suffix; - return (XResourceBundle) ResourceBundle.getBundle(resourceName, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XResourceBundle) ResourceBundle.getBundle( - XSLT_RESOURCE, new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } + /** + * Get the association list. + * + * @return The association list. + */ + public Object[][] getContents() { + return new Object[][]{ + {"ui_language", "en"}, {"help_language", "en"}, {"language", "en"}, + {"alphabet", new CharArrayWrapper(new char[]{'A', 'B', 'C', 'D', 'E', 'F', 'G', + 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', + 'V', 'W', 'X', 'Y', 'Z'})}, + {"tradAlphabet", new CharArrayWrapper(new char[]{'A', 'B', 'C', 'D', 'E', 'F', + 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', + 'U', 'V', 'W', 'X', 'Y', 'Z'})}, + //language orientation + {"orientation", "LeftToRight"}, + //language numbering + {"numbering", "additive"},}; } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String lang = locale.getLanguage(); - String country = locale.getCountry(); - String variant = locale.getVariant(); - String suffix = "_" + locale.getLanguage(); - - if (lang.equals("zh")) - suffix += "_" + country; - - if (country.equals("JP")) - suffix += "_" + country + "_" + variant; - - return suffix; - } - - /** - * Get the association list. - * - * @return The association list. - */ - public Object[][] getContents() - { - return new Object[][] - { - { "ui_language", "en" }, { "help_language", "en" }, { "language", "en" }, - { "alphabet", new CharArrayWrapper(new char[]{ 'A', 'B', 'C', 'D', 'E', 'F', 'G', - 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', - 'V', 'W', 'X', 'Y', 'Z' })}, - { "tradAlphabet", new CharArrayWrapper(new char[]{ 'A', 'B', 'C', 'D', 'E', 'F', - 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', - 'U', 'V', 'W', 'X', 'Y', 'Z' }) }, - - //language orientation - { "orientation", "LeftToRight" }, - - //language numbering - { "numbering", "additive" }, - }; - } }
--- a/src/com/sun/org/apache/xpath/internal/functions/FuncSystemProperty.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/functions/FuncSystemProperty.java Mon Jun 03 15:27:00 2013 +0200 @@ -102,7 +102,7 @@ try { - result = System.getProperty(propName); + result = SecuritySupport.getSystemProperty(propName); if (null == result) { @@ -124,7 +124,7 @@ { try { - result = System.getProperty(fullName); + result = SecuritySupport.getSystemProperty(fullName); if (null == result) { @@ -165,12 +165,11 @@ * should already be fully qualified as path/filename * @param target The target property bag the file will be placed into. */ - private void loadPropertyFile(String file, Properties target) + public void loadPropertyFile(String file, Properties target) { try { // Use SecuritySupport class to provide priveleged access to property file - InputStream is = SecuritySupport.getResourceAsStream(ObjectFactory.findClassLoader(), file);
--- a/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,9 +23,6 @@ package com.sun.org.apache.xpath.internal.res; import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -939,68 +936,4 @@ /** Field QUERY_HEADER */ public static final String QUERY_HEADER = "PATTERN "; - - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className Name of local-specific subclass. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XPATHErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XPATHErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XPATHErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_de.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_de.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,9 +23,6 @@ package com.sun.org.apache.xpath.internal.res; import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -939,68 +936,4 @@ /** Field QUERY_HEADER */ public static final String QUERY_HEADER = "PATTERN "; - - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className Name of local-specific subclass. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XPATHErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XPATHErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XPATHErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_es.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_es.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,9 +23,6 @@ package com.sun.org.apache.xpath.internal.res; import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -939,68 +936,4 @@ /** Field QUERY_HEADER */ public static final String QUERY_HEADER = "PATTERN "; - - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className Name of local-specific subclass. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XPATHErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XPATHErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XPATHErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_fr.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_fr.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,9 +23,6 @@ package com.sun.org.apache.xpath.internal.res; import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -939,68 +936,4 @@ /** Field QUERY_HEADER */ public static final String QUERY_HEADER = "PATTERN "; - - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className Name of local-specific subclass. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XPATHErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XPATHErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XPATHErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_it.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_it.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,9 +23,6 @@ package com.sun.org.apache.xpath.internal.res; import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -939,68 +936,4 @@ /** Field QUERY_HEADER */ public static final String QUERY_HEADER = "PATTERN "; - - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className Name of local-specific subclass. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XPATHErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XPATHErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XPATHErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_ja.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_ja.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,9 +23,6 @@ package com.sun.org.apache.xpath.internal.res; import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -939,68 +936,4 @@ /** Field QUERY_HEADER */ public static final String QUERY_HEADER = "PATTERN "; - - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className Name of local-specific subclass. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XPATHErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XPATHErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XPATHErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_ko.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_ko.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,9 +23,6 @@ package com.sun.org.apache.xpath.internal.res; import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -939,68 +936,4 @@ /** Field QUERY_HEADER */ public static final String QUERY_HEADER = "PATTERN "; - - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className Name of local-specific subclass. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XPATHErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XPATHErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XPATHErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_pt_BR.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_pt_BR.java Mon Jun 03 15:27:00 2013 +0200 @@ -24,9 +24,6 @@ package com.sun.org.apache.xpath.internal.res; import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -940,68 +937,4 @@ /** Field QUERY_HEADER */ public static final String QUERY_HEADER = "PATTERN "; - - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className Name of local-specific subclass. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XPATHErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XPATHErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XPATHErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_sv.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_sv.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,9 +23,6 @@ package com.sun.org.apache.xpath.internal.res; import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -939,68 +936,4 @@ /** Field QUERY_HEADER */ public static final String QUERY_HEADER = "PATTERN "; - - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className Name of local-specific subclass. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XPATHErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XPATHErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XPATHErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_zh_CN.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_zh_CN.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,9 +23,6 @@ package com.sun.org.apache.xpath.internal.res; import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -939,68 +936,4 @@ /** Field QUERY_HEADER */ public static final String QUERY_HEADER = "PATTERN "; - - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className Name of local-specific subclass. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XPATHErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XPATHErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XPATHErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_zh_TW.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/res/XPATHErrorResources_zh_TW.java Mon Jun 03 15:27:00 2013 +0200 @@ -23,9 +23,6 @@ package com.sun.org.apache.xpath.internal.res; import java.util.ListResourceBundle; -import java.util.Locale; -import java.util.MissingResourceException; -import java.util.ResourceBundle; /** * Set up error messages. @@ -939,68 +936,4 @@ /** Field QUERY_HEADER */ public static final String QUERY_HEADER = "PATTERN "; - - /** - * Return a named ResourceBundle for a particular locale. This method mimics the behavior - * of ResourceBundle.getBundle(). - * - * @param className Name of local-specific subclass. - * @return the ResourceBundle - * @throws MissingResourceException - */ - public static final XPATHErrorResources loadResourceBundle(String className) - throws MissingResourceException - { - - Locale locale = Locale.getDefault(); - String suffix = getResourceSuffix(locale); - - try - { - - // first try with the given locale - return (XPATHErrorResources) ResourceBundle.getBundle(className - + suffix, locale); - } - catch (MissingResourceException e) - { - try // try to fall back to en_US if we can't load - { - - // Since we can't find the localized property file, - // fall back to en_US. - return (XPATHErrorResources) ResourceBundle.getBundle(className, - new Locale("en", "US")); - } - catch (MissingResourceException e2) - { - - // Now we are really in trouble. - // very bad, definitely very bad...not going to get very far - throw new MissingResourceException( - "Could not load any resource bundles.", className, ""); - } - } - } - - /** - * Return the resource file suffic for the indicated locale - * For most locales, this will be based the language code. However - * for Chinese, we do distinguish between Taiwan and PRC - * - * @param locale the locale - * @return an String suffix which canbe appended to a resource name - */ - private static final String getResourceSuffix(Locale locale) - { - - String suffix = "_" + locale.getLanguage(); - String country = locale.getCountry(); - - if (country.equals("TW")) - suffix += "_" + country; - - return suffix; - } - }
--- a/src/com/sun/org/apache/xpath/internal/res/XPATHMessages.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/org/apache/xpath/internal/res/XPATHMessages.java Mon Jun 03 15:27:00 2013 +0200 @@ -22,130 +22,128 @@ */ package com.sun.org.apache.xpath.internal.res; +import com.sun.org.apache.bcel.internal.util.SecuritySupport; +import com.sun.org.apache.xml.internal.res.XMLMessages; import java.util.ListResourceBundle; -import com.sun.org.apache.xml.internal.res.XMLMessages; - /** * A utility class for issuing XPath error messages. + * * @xsl.usage internal */ -public class XPATHMessages extends XMLMessages -{ - /** The language specific resource object for XPath messages. */ - private static ListResourceBundle XPATHBundle = null; +public class XPATHMessages extends XMLMessages { - /** The class name of the XPath error message string table. */ - private static final String XPATH_ERROR_RESOURCES = - "com.sun.org.apache.xpath.internal.res.XPATHErrorResources"; + /** + * The language specific resource object for XPath messages. + */ + private static ListResourceBundle XPATHBundle = null; + /** + * The class name of the XPath error message string table. + */ + private static final String XPATH_ERROR_RESOURCES = + "com.sun.org.apache.xpath.internal.res.XPATHErrorResources"; - /** - * Creates a message from the specified key and replacement - * arguments, localized to the given locale. - * - * @param msgKey The key for the message text. - * @param args The arguments to be used as replacement text - * in the message created. - * - * @return The formatted message string. - */ - public static final String createXPATHMessage(String msgKey, Object args[]) //throws Exception - { - if (XPATHBundle == null) - XPATHBundle = loadResourceBundle(XPATH_ERROR_RESOURCES); - - if (XPATHBundle != null) + /** + * Creates a message from the specified key and replacement arguments, + * localized to the given locale. + * + * @param msgKey The key for the message text. + * @param args The arguments to be used as replacement text in the message + * created. + * + * @return The formatted message string. + */ + public static final String createXPATHMessage(String msgKey, Object args[]) //throws Exception { - return createXPATHMsg(XPATHBundle, msgKey, args); - } - else - return "Could not load any resource bundles."; - } + if (XPATHBundle == null) { + XPATHBundle = SecuritySupport.getResourceBundle(XPATH_ERROR_RESOURCES); + } - /** - * Creates a message from the specified key and replacement - * arguments, localized to the given locale. - * - * @param msgKey The key for the message text. - * @param args The arguments to be used as replacement text - * in the message created. - * - * @return The formatted warning string. - */ - public static final String createXPATHWarning(String msgKey, Object args[]) //throws Exception - { - if (XPATHBundle == null) - XPATHBundle = loadResourceBundle(XPATH_ERROR_RESOURCES); - - if (XPATHBundle != null) - { - return createXPATHMsg(XPATHBundle, msgKey, args); + if (XPATHBundle != null) { + return createXPATHMsg(XPATHBundle, msgKey, args); + } else { + return "Could not load any resource bundles."; + } } - else - return "Could not load any resource bundles."; - } - /** - * Creates a message from the specified key and replacement - * arguments, localized to the given locale. - * - * @param fResourceBundle The resource bundle to use. - * @param msgKey The message key to use. - * @param args The arguments to be used as replacement text - * in the message created. - * - * @return The formatted message string. - */ - public static final String createXPATHMsg(ListResourceBundle fResourceBundle, - String msgKey, Object args[]) //throws Exception - { + /** + * Creates a message from the specified key and replacement arguments, + * localized to the given locale. + * + * @param msgKey The key for the message text. + * @param args The arguments to be used as replacement text in the message + * created. + * + * @return The formatted warning string. + */ + public static final String createXPATHWarning(String msgKey, Object args[]) //throws Exception + { + if (XPATHBundle == null) { + XPATHBundle = SecuritySupport.getResourceBundle(XPATH_ERROR_RESOURCES); + } - String fmsg = null; - boolean throwex = false; - String msg = null; - - if (msgKey != null) - msg = fResourceBundle.getString(msgKey); - - if (msg == null) - { - msg = fResourceBundle.getString(XPATHErrorResources.BAD_CODE); - throwex = true; + if (XPATHBundle != null) { + return createXPATHMsg(XPATHBundle, msgKey, args); + } else { + return "Could not load any resource bundles."; + } } - if (args != null) + /** + * Creates a message from the specified key and replacement arguments, + * localized to the given locale. + * + * @param fResourceBundle The resource bundle to use. + * @param msgKey The message key to use. + * @param args The arguments to be used as replacement text in the message + * created. + * + * @return The formatted message string. + */ + public static final String createXPATHMsg(ListResourceBundle fResourceBundle, + String msgKey, Object args[]) //throws Exception { - try - { - // Do this to keep format from crying. - // This is better than making a bunch of conditional - // code all over the place. - int n = args.length; + String fmsg = null; + boolean throwex = false; + String msg = null; - for (int i = 0; i < n; i++) - { - if (null == args[i]) - args[i] = ""; + if (msgKey != null) { + msg = fResourceBundle.getString(msgKey); + } + + if (msg == null) { + msg = fResourceBundle.getString(XPATHErrorResources.BAD_CODE); + throwex = true; } - fmsg = java.text.MessageFormat.format(msg, args); - } - catch (Exception e) - { - fmsg = fResourceBundle.getString(XPATHErrorResources.FORMAT_FAILED); - fmsg += " " + msg; - } + if (args != null) { + try { + + // Do this to keep format from crying. + // This is better than making a bunch of conditional + // code all over the place. + int n = args.length; + + for (int i = 0; i < n; i++) { + if (null == args[i]) { + args[i] = ""; + } + } + + fmsg = java.text.MessageFormat.format(msg, args); + } catch (Exception e) { + fmsg = fResourceBundle.getString(XPATHErrorResources.FORMAT_FAILED); + fmsg += " " + msg; + } + } else { + fmsg = msg; + } + + if (throwex) { + throw new RuntimeException(fmsg); + } + + return fmsg; } - else - fmsg = msg; - - if (throwex) - { - throw new RuntimeException(fmsg); - } - - return fmsg; - } - }
--- a/src/com/sun/xml/internal/stream/StaxXMLInputSource.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/xml/internal/stream/StaxXMLInputSource.java Mon Jun 03 15:27:00 2013 +0200 @@ -43,6 +43,9 @@ XMLEventReader fEventReader ; XMLInputSource fInputSource ; + //indicate if the source is resolved by a resolver + boolean fHasResolver = false; + /** Creates a new instance of StaxXMLInputSource */ public StaxXMLInputSource(XMLStreamReader streamReader) { fStreamReader = streamReader ; @@ -57,6 +60,12 @@ fInputSource = inputSource ; } + + public StaxXMLInputSource(XMLInputSource inputSource, boolean hasResolver){ + fInputSource = inputSource ; + fHasResolver = hasResolver; + } + public XMLStreamReader getXMLStreamReader(){ return fStreamReader ; } @@ -72,4 +81,8 @@ public boolean hasXMLStreamOrXMLEventReader(){ return (fStreamReader == null) && (fEventReader == null) ? false : true ; } + + public boolean hasResolver() { + return fHasResolver; + } }
--- a/src/com/sun/xml/internal/stream/XMLEntityStorage.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/xml/internal/stream/XMLEntityStorage.java Mon Jun 03 15:27:00 2013 +0200 @@ -36,6 +36,7 @@ import com.sun.org.apache.xerces.internal.impl.PropertyManager; import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter; import com.sun.org.apache.xerces.internal.impl.Constants; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import java.util.Enumeration; /** @@ -414,7 +415,7 @@ // get the user.dir property String userDir = ""; try { - userDir = System.getProperty("user.dir"); + userDir = SecuritySupport.getSystemProperty("user.dir"); } catch (SecurityException se) { }
--- a/src/com/sun/xml/internal/stream/writers/WriterUtility.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/xml/internal/stream/writers/WriterUtility.java Mon Jun 03 15:27:00 2013 +0200 @@ -32,6 +32,7 @@ import java.nio.charset.Charset; import java.nio.charset.CharsetEncoder; import com.sun.org.apache.xerces.internal.util.XMLChar; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; /** * Implements common xml writer functions. @@ -240,7 +241,7 @@ private CharsetEncoder getDefaultEncoder(){ try{ - String encoding = System.getProperty("file.encoding"); + String encoding = SecuritySupport.getSystemProperty("file.encoding"); if(encoding != null){ return Charset.forName(encoding).newEncoder(); }
--- a/src/com/sun/xml/internal/stream/writers/XMLStreamWriterImpl.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/com/sun/xml/internal/stream/writers/XMLStreamWriterImpl.java Mon Jun 03 15:27:00 2013 +0200 @@ -53,6 +53,7 @@ import com.sun.org.apache.xerces.internal.impl.PropertyManager; import com.sun.org.apache.xerces.internal.util.NamespaceSupport; import com.sun.org.apache.xerces.internal.util.SymbolTable; +import com.sun.org.apache.xerces.internal.utils.SecuritySupport; import com.sun.org.apache.xerces.internal.xni.QName; import com.sun.xml.internal.stream.util.ReadOnlyIterator; @@ -340,7 +341,7 @@ fEncoder = Charset.forName(encoding).newEncoder(); } } else { - encoding = System.getProperty("file.encoding"); + encoding = SecuritySupport.getSystemProperty("file.encoding"); if (encoding != null && encoding.equalsIgnoreCase("utf-8")) { fWriter = new UTF8OutputStreamWriter(os); } else {
--- a/src/javax/xml/XMLConstants.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/XMLConstants.java Mon Jun 03 15:27:00 2013 +0200 @@ -73,7 +73,7 @@ * <p>The official XML Namespace name URI.</p> * * <p>Defined by the XML specification to be - * "<code>http://www.w3.org/XML/1998/namespace</code>".</p> + * "{@code http://www.w3.org/XML/1998/namespace}".</p> * * @see <a * href="http://www.w3.org/TR/REC-xml-names/#ns-qualnames"> @@ -85,7 +85,7 @@ /** * <p>The official XML Namespace prefix.</p> * - * <p>Defined by the XML specification to be "<code>xml</code>".</p> + * <p>Defined by the XML specification to be "{@code xml}".</p> * * @see <a * href="http://www.w3.org/TR/REC-xml-names/#ns-qualnames"> @@ -99,7 +99,7 @@ * XMLConstants.XMLNS_ATTRIBUTE}, Namespace name URI.</p> * * <p>Defined by the XML specification to be - * "<code>http://www.w3.org/2000/xmlns/</code>".</p> + * "{@code http://www.w3.org/2000/xmlns/}".</p> * * @see <a * href="http://www.w3.org/TR/REC-xml-names/#ns-qualnames"> @@ -117,7 +117,7 @@ * * <p>It is <strong><em>NOT</em></strong> valid to use as a * prefix. Defined by the XML specification to be - * "<code>xmlns</code>".</p> + * "{@code xmlns}".</p> * * @see <a * href="http://www.w3.org/TR/REC-xml-names/#ns-qualnames"> @@ -128,7 +128,7 @@ /** * <p>W3C XML Schema Namespace URI.</p> * - * <p>Defined to be "<code>http://www.w3.org/2001/XMLSchema</code>". + * <p>Defined to be "{@code http://www.w3.org/2001/XMLSchema}". * * @see <a href= * "http://www.w3.org/TR/xmlschema-1/#Instance_Document_Constructions"> @@ -141,7 +141,7 @@ /** * <p>W3C XML Schema Instance Namespace URI.</p> * - * <p>Defined to be "<code>http://www.w3.org/2001/XMLSchema-instance</code>".</p> + * <p>Defined to be "{@code http://www.w3.org/2001/XMLSchema-instance}".</p> * * @see <a href= * "http://www.w3.org/TR/xmlschema-1/#Instance_Document_Constructions"> @@ -154,7 +154,7 @@ /** * <p>W3C XPath Datatype Namespace URI.</p> * - * <p>Defined to be "<code>http://www.w3.org/2003/11/xpath-datatypes</code>".</p> + * <p>Defined to be "{@code http://www.w3.org/2003/11/xpath-datatypes}".</p> * * @see <a href="http://www.w3.org/TR/xpath-datamodel">XQuery 1.0 and XPath 2.0 Data Model</a> */ @@ -163,14 +163,14 @@ /** * <p>XML Document Type Declaration Namespace URI as an arbitrary value.</p> * - * <p>Since not formally defined by any existing standard, arbitrarily define to be "<code>http://www.w3.org/TR/REC-xml</code>". + * <p>Since not formally defined by any existing standard, arbitrarily define to be "{@code http://www.w3.org/TR/REC-xml}". */ public static final String XML_DTD_NS_URI = "http://www.w3.org/TR/REC-xml"; /** * <p>RELAX NG Namespace URI.</p> * - * <p>Defined to be "<code>http://relaxng.org/ns/structure/1.0</code>".</p> + * <p>Defined to be "{@code http://relaxng.org/ns/structure/1.0}".</p> * * @see <a href="http://relaxng.org/spec-20011203.html">RELAX NG Specification</a> */ @@ -181,14 +181,212 @@ * * <ul> * <li> - * <code>true</code> instructs the implementation to process XML securely. + * {@code true} instructs the implementation to process XML securely. * This may set limits on XML constructs to avoid conditions such as denial of service attacks. * </li> * <li> - * <code>false</code> instructs the implementation to process XML acording the letter of the XML specifications - * ingoring security issues such as limits on XML constructs to avoid conditions such as denial of service attacks. + * {@code false} instructs the implementation to process XML in accordance with the XML specifications + * ignoring security issues such as limits on XML constructs to avoid conditions such as denial of service attacks. * </li> * </ul> */ public static final String FEATURE_SECURE_PROCESSING = "http://javax.xml.XMLConstants/feature/secure-processing"; + + + /** + * <p>Property: accessExternalDTD</p> + * + * <p> + * Restrict access to external DTDs and external Entity References to the protocols specified. + * If access is denied due to the restriction of this property, a runtime exception that + * is specific to the context is thrown. In the case of {@link javax.xml.parsers.SAXParser} + * for example, {@link org.xml.sax.SAXException} is thrown. + * </p> + * + * <p> + * <b>Value: </b> a list of protocols separated by comma. A protocol is the scheme portion of a + * {@link java.net.URI}, or in the case of the JAR protocol, "jar" plus the scheme portion + * separated by colon. + * A scheme is defined as: + * + * <blockquote> + * scheme = alpha *( alpha | digit | "+" | "-" | "." )<br> + * where alpha = a-z and A-Z.<br><br> + * + * And the JAR protocol:<br> + * + * jar[:scheme]<br><br> + * + * Protocols including the keyword "jar" are case-insensitive. Any whitespaces as defined by + * {@link java.lang.Character#isSpaceChar } in the value will be ignored. + * Examples of protocols are file, http, jar:file. + * + * </blockquote> + *</p> + * + *<p> + * <b>Default value:</b> The default value is implementation specific and therefore not specified. + * The following options are provided for consideration: + * <blockquote> + * <UL> + * <LI>an empty string to deny all access to external references;</LI> + * <LI>a specific protocol, such as file, to give permission to only the protocol;</LI> + * <LI>the keyword "all" to grant permission to all protocols.</LI> + *</UL><br> + * When FEATURE_SECURE_PROCESSING is enabled, it is recommended that implementations + * restrict external connections by default, though this may cause problems for applications + * that process XML/XSD/XSL with external references. + * </blockquote> + * </p> + * + * <p> + * <b>Granting all access:</b> the keyword "all" grants permission to all protocols. + * </p> + * <p> + * <b>System Property:</b> The value of this property can be set or overridden by + * system property {@code javax.xml.accessExternalDTD}. + * </p> + * + * <p> + * <b>${JAVA_HOME}/lib/jaxp.properties:</b> This configuration file is in standard + * {@link java.util.Properties} format. If the file exists and the system property is specified, + * its value will be used to override the default of the property. + * </p> + * + * <p> + * + * </p> + * @since 1.7 + */ + public static final String ACCESS_EXTERNAL_DTD = "http://javax.xml.XMLConstants/property/accessExternalDTD"; + + /** + * <p>Property: accessExternalSchema</p> + * + * <p> + * Restrict access to the protocols specified for external reference set by the + * schemaLocation attribute, Import and Include element. If access is denied + * due to the restriction of this property, a runtime exception that is specific + * to the context is thrown. In the case of {@link javax.xml.validation.SchemaFactory} + * for example, org.xml.sax.SAXException is thrown. + * </p> + * <p> + * <b>Value:</b> a list of protocols separated by comma. A protocol is the scheme portion of a + * {@link java.net.URI}, or in the case of the JAR protocol, "jar" plus the scheme portion + * separated by colon. + * A scheme is defined as: + * + * <blockquote> + * scheme = alpha *( alpha | digit | "+" | "-" | "." )<br> + * where alpha = a-z and A-Z.<br><br> + * + * And the JAR protocol:<br> + * + * jar[:scheme]<br><br> + * + * Protocols including the keyword "jar" are case-insensitive. Any whitespaces as defined by + * {@link java.lang.Character#isSpaceChar } in the value will be ignored. + * Examples of protocols are file, http, jar:file. + * + * </blockquote> + *</p> + * + *<p> + * <b>Default value:</b> The default value is implementation specific and therefore not specified. + * The following options are provided for consideration: + * <blockquote> + * <UL> + * <LI>an empty string to deny all access to external references;</LI> + * <LI>a specific protocol, such as file, to give permission to only the protocol;</LI> + * <LI>the keyword "all" to grant permission to all protocols.</LI> + *</UL><br> + * When FEATURE_SECURE_PROCESSING is enabled, it is recommended that implementations + * restrict external connections by default, though this may cause problems for applications + * that process XML/XSD/XSL with external references. + * </blockquote> + * </p> + * <p> + * <b>Granting all access:</b> the keyword "all" grants permission to all protocols. + * </p> + * + * <p> + * <b>System Property:</b> The value of this property can be set or overridden by + * system property {@code javax.xml.accessExternalSchema} + * </p> + * + * <p> + * <b>${JAVA_HOME}/lib/jaxp.properties:</b> This configuration file is in standard + * java.util.Properties format. If the file exists and the system property is specified, + * its value will be used to override the default of the property. + * + * @since 1.7 + * </p> + */ + public static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema"; + + /** + * <p>Property: accessExternalStylesheet</p> + * + * <p> + * Restrict access to the protocols specified for external references set by the + * stylesheet processing instruction, Import and Include element, and document function. + * If access is denied due to the restriction of this property, a runtime exception + * that is specific to the context is thrown. In the case of constructing new + * {@link javax.xml.transform.Transformer} for example, + * {@link javax.xml.transform.TransformerConfigurationException} + * will be thrown by the {@link javax.xml.transform.TransformerFactory}. + * </p> + * <p> + * <b>Value:</b> a list of protocols separated by comma. A protocol is the scheme portion of a + * {@link java.net.URI}, or in the case of the JAR protocol, "jar" plus the scheme portion + * separated by colon. + * A scheme is defined as: + * + * <blockquote> + * scheme = alpha *( alpha | digit | "+" | "-" | "." )<br> + * where alpha = a-z and A-Z.<br><br> + * + * And the JAR protocol:<br> + * + * jar[:scheme]<br><br> + * + * Protocols including the keyword "jar" are case-insensitive. Any whitespaces as defined by + * {@link java.lang.Character#isSpaceChar } in the value will be ignored. + * Examples of protocols are file, http, jar:file. + * + * </blockquote> + *</p> + * + *<p> + * <b>Default value:</b> The default value is implementation specific and therefore not specified. + * The following options are provided for consideration: + * <blockquote> + * <UL> + * <LI>an empty string to deny all access to external references;</LI> + * <LI>a specific protocol, such as file, to give permission to only the protocol;</LI> + * <LI>the keyword "all" to grant permission to all protocols.</LI> + *</UL><br> + * When FEATURE_SECURE_PROCESSING is enabled, it is recommended that implementations + * restrict external connections by default, though this may cause problems for applications + * that process XML/XSD/XSL with external references. + * </blockquote> + * </p> + * <p> + * <b>Granting all access:</b> the keyword "all" grants permission to all protocols. + * </p> + * + * <p> + * <b>System Property:</b> The value of this property can be set or overridden by + * system property {@code javax.xml.accessExternalStylesheet} + * </p> + * + * <p> + * <b>${JAVA_HOME}/lib/jaxp.properties: </b> This configuration file is in standard + * java.util.Properties format. If the file exists and the system property is specified, + * its value will be used to override the default of the property. + * + * @since 1.7 + */ + public static final String ACCESS_EXTERNAL_STYLESHEET = "http://javax.xml.XMLConstants/property/accessExternalStylesheet"; + }
--- a/src/javax/xml/datatype/FactoryFinder.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/datatype/FactoryFinder.java Mon Jun 03 15:27:00 2013 +0200 @@ -44,6 +44,7 @@ * @author Santiago.PericasGeertsen@sun.com */ class FactoryFinder { + private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xerces.internal"; /** * Internal debug flag. @@ -95,18 +96,24 @@ * If the class loader supplied is <code>null</code>, first try using the * context class loader followed by the current (i.e. bootstrap) class * loader. + * + * Use bootstrap classLoader if cl = null and useBSClsLoader is true */ static private Class getProviderClass(String className, ClassLoader cl, - boolean doFallback) throws ClassNotFoundException + boolean doFallback, boolean useBSClsLoader) throws ClassNotFoundException { try { if (cl == null) { - cl = ss.getContextClassLoader(); - if (cl == null) { - throw new ClassNotFoundException(); - } - else { - return cl.loadClass(className); + if (useBSClsLoader) { + return Class.forName(className, true, FactoryFinder.class.getClassLoader()); + } else { + cl = ss.getContextClassLoader(); + if (cl == null) { + throw new ClassNotFoundException(); + } + else { + return cl.loadClass(className); + } } } else { @@ -131,8 +138,8 @@ * @param className Name of the concrete class corresponding to the * service provider * - * @param cl ClassLoader to use to load the class, null means to use - * the bootstrap ClassLoader + * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> + * current <code>Thread</code>'s context classLoader is used to load the factory class. * * @param doFallback True if the current ClassLoader should be tried as * a fallback if the class is not found using cl @@ -140,8 +147,38 @@ static Object newInstance(String className, ClassLoader cl, boolean doFallback) throws ConfigurationError { + return newInstance(className, cl, doFallback, false); + } + + /** + * Create an instance of a class. Delegates to method + * <code>getProviderClass()</code> in order to load the class. + * + * @param className Name of the concrete class corresponding to the + * service provider + * + * @param cl ClassLoader to use to load the class, null means to use + * the bootstrap ClassLoader + * + * @param doFallback True if the current ClassLoader should be tried as + * a fallback if the class is not found using cl + * + * @param useBSClsLoader True if cl=null actually meant bootstrap classLoader. This parameter + * is needed since DocumentBuilderFactory/SAXParserFactory defined null as context classLoader. + */ + static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) + throws ConfigurationError + { + // make sure we have access to restricted packages + if (System.getSecurityManager() != null) { + if (className != null && className.startsWith(DEFAULT_PACKAGE)) { + cl = null; + useBSClsLoader = true; + } + } + try { - Class providerClass = getProviderClass(className, cl, doFallback); + Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); Object instance = providerClass.newInstance(); if (debug) { // Extra check to avoid computing cl strings dPrint("created new instance of " + providerClass + @@ -244,6 +281,7 @@ // First try the Context ClassLoader ClassLoader cl = ss.getContextClassLoader(); + boolean useBSClsLoader = false; if (cl != null) { is = ss.getResourceAsStream(cl, serviceId); @@ -251,11 +289,13 @@ if (is == null) { cl = FactoryFinder.class.getClassLoader(); is = ss.getResourceAsStream(cl, serviceId); + useBSClsLoader = true; } } else { // No Context ClassLoader, try the current ClassLoader cl = FactoryFinder.class.getClassLoader(); is = ss.getResourceAsStream(cl, serviceId); + useBSClsLoader = true; } if (is == null) { @@ -293,7 +333,7 @@ // ClassLoader because we want to avoid the case where the // resource file was found using one ClassLoader and the // provider class was instantiated using a different one. - return newInstance(factoryClassName, cl, false); + return newInstance(factoryClassName, cl, false, useBSClsLoader); } // No provider found
--- a/src/javax/xml/parsers/DocumentBuilderFactory.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/parsers/DocumentBuilderFactory.java Mon Jun 03 15:27:00 2013 +0200 @@ -367,6 +367,31 @@ /** * Allows the user to set specific attributes on the underlying * implementation. + * <p> + * All implementations that implement JAXP 1.5 or newer are required to + * support the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} and + * {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_SCHEMA} properties. + * </p> + * <ul> + * <li> + * <p> + * Setting the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} property + * restricts the access to external DTDs, external Entity References to the + * protocols specified by the property. + * If access is denied during parsing due to the restriction of this property, + * {@link org.xml.sax.SAXException} will be thrown by the parse methods defined by + * {@link javax.xml.parsers.DocumentBuilder}. + * </p> + * <p> + * Setting the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_SCHEMA} property + * restricts the access to external Schema set by the schemaLocation attribute to + * the protocols specified by the property. If access is denied during parsing + * due to the restriction of this property, {@link org.xml.sax.SAXException} + * will be thrown by the parse methods defined by + * {@link javax.xml.parsers.DocumentBuilder}. + * </p> + * </li> + * </ul> * * @param name The name of the attribute. * @param value The value of the attribute.
--- a/src/javax/xml/parsers/FactoryFinder.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/parsers/FactoryFinder.java Mon Jun 03 15:27:00 2013 +0200 @@ -42,7 +42,7 @@ * @author Huizhe.Wang@oracle.com */ class FactoryFinder { - + private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xerces.internal"; /** * Internal debug flag. */ @@ -166,6 +166,14 @@ static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) throws ConfigurationError { + // make sure we have access to restricted packages + if (System.getSecurityManager() != null) { + if (className != null && className.startsWith(DEFAULT_PACKAGE)) { + cl = null; + useBSClsLoader = true; + } + } + try { Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); Object instance = providerClass.newInstance();
--- a/src/javax/xml/parsers/SAXParser.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/parsers/SAXParser.java Mon Jun 03 15:27:00 2013 +0200 @@ -441,6 +441,29 @@ * A list of the core features and properties can be found at * <a href="http://sax.sourceforge.net/?selected=get-set"> * http://sax.sourceforge.net/?selected=get-set</a>.</p> + * <p> + * All implementations that implement JAXP 1.5 or newer are required to + * support the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} and + * {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_SCHEMA} properties. + * </p> + * <ul> + * <li> + * <p> + * Setting the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} property + * restricts the access to external DTDs, external Entity References to + * the protocols specified by the property. If access is denied during parsing + * due to the restriction of this property, {@link org.xml.sax.SAXException} + * will be thrown by the parse methods defined by {@link javax.xml.parsers.SAXParser}. + * </p> + * <p> + * Setting the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_SCHEMA} property + * restricts the access to external Schema set by the schemaLocation attribute to + * the protocols specified by the property. If access is denied during parsing + * due to the restriction of this property, {@link org.xml.sax.SAXException} + * will be thrown by the parse methods defined by the {@link javax.xml.parsers.SAXParser}. + * </p> + * </li> + * </ul> * * @param name The name of the property to be set. * @param value The value of the property to be set.
--- a/src/javax/xml/stream/FactoryFinder.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/stream/FactoryFinder.java Mon Jun 03 15:27:00 2013 +0200 @@ -25,14 +25,12 @@ package javax.xml.stream; -import java.io.InputStream; -import java.io.IOException; +import java.io.BufferedReader; import java.io.File; -import java.io.FileInputStream; - +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; import java.util.Properties; -import java.io.BufferedReader; -import java.io.InputStreamReader; /** * <p>Implements pluggable Datatypes.</p> @@ -43,6 +41,8 @@ * @author Santiago.PericasGeertsen@sun.com */ class FactoryFinder { + // Check we have access to package. + private static final String DEFAULT_PACKAGE = "com.sun.xml.internal."; /** * Internal debug flag. @@ -94,18 +94,24 @@ * If the class loader supplied is <code>null</code>, first try using the * context class loader followed by the current (i.e. bootstrap) class * loader. + * + * Use bootstrap classLoader if cl = null and useBSClsLoader is true */ static private Class getProviderClass(String className, ClassLoader cl, - boolean doFallback) throws ClassNotFoundException + boolean doFallback, boolean useBSClsLoader) throws ClassNotFoundException { try { if (cl == null) { - cl = ss.getContextClassLoader(); - if (cl == null) { - throw new ClassNotFoundException(); - } - else { - return cl.loadClass(className); + if (useBSClsLoader) { + return Class.forName(className, true, FactoryFinder.class.getClassLoader()); + } else { + cl = ss.getContextClassLoader(); + if (cl == null) { + throw new ClassNotFoundException(); + } + else { + return cl.loadClass(className); + } } } else { @@ -130,8 +136,8 @@ * @param className Name of the concrete class corresponding to the * service provider * - * @param cl ClassLoader to use to load the class, null means to use - * the bootstrap ClassLoader + * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> + * current <code>Thread</code>'s context classLoader is used to load the factory class. * * @param doFallback True if the current ClassLoader should be tried as * a fallback if the class is not found using cl @@ -139,8 +145,38 @@ static Object newInstance(String className, ClassLoader cl, boolean doFallback) throws ConfigurationError { + return newInstance(className, cl, doFallback, false); + } + + /** + * Create an instance of a class. Delegates to method + * <code>getProviderClass()</code> in order to load the class. + * + * @param className Name of the concrete class corresponding to the + * service provider + * + * @param cl <code>ClassLoader</code> used to load the factory class. If <code>null</code> + * current <code>Thread</code>'s context classLoader is used to load the factory class. + * + * @param doFallback True if the current ClassLoader should be tried as + * a fallback if the class is not found using cl + * + * @param useBSClsLoader True if cl=null actually meant bootstrap classLoader. This parameter + * is needed since DocumentBuilderFactory/SAXParserFactory defined null as context classLoader. + */ + static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) + throws ConfigurationError + { + // make sure we have access to restricted packages + if (System.getSecurityManager() != null) { + if (className != null && className.startsWith(DEFAULT_PACKAGE)) { + cl = null; + useBSClsLoader = true; + } + } + try { - Class providerClass = getProviderClass(className, cl, doFallback); + Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); Object instance = providerClass.newInstance(); if (debug) { // Extra check to avoid computing cl strings dPrint("created new instance of " + providerClass + @@ -233,11 +269,11 @@ if (ss.doesFileExist(f)) { dPrint("Read properties file "+f); cacheProps.load(ss.getFileInputStream(f)); - } - } } } } + } + } factoryClassName = cacheProps.getProperty(factoryId); if (factoryClassName != null) { @@ -276,6 +312,7 @@ // First try the Context ClassLoader ClassLoader cl = ss.getContextClassLoader(); + boolean useBSClsLoader = false; if (cl != null) { is = ss.getResourceAsStream(cl, serviceId); @@ -283,11 +320,13 @@ if (is == null) { cl = FactoryFinder.class.getClassLoader(); is = ss.getResourceAsStream(cl, serviceId); + useBSClsLoader = true; } } else { // No Context ClassLoader, try the current ClassLoader cl = FactoryFinder.class.getClassLoader(); is = ss.getResourceAsStream(cl, serviceId); + useBSClsLoader = true; } if (is == null) { @@ -325,7 +364,7 @@ // ClassLoader because we want to avoid the case where the // resource file was found using one ClassLoader and the // provider class was instantiated using a different one. - return newInstance(factoryClassName, cl, false); + return newInstance(factoryClassName, cl, false, useBSClsLoader); } // No provider found
--- a/src/javax/xml/stream/XMLInputFactory.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/stream/XMLInputFactory.java Mon Jun 03 15:27:00 2013 +0200 @@ -402,9 +402,26 @@ public abstract void setXMLReporter(XMLReporter reporter); /** - * Allows the user to set specific feature/property on the underlying implementation. The underlying implementation - * is not required to support every setting of every property in the specification and may use IllegalArgumentException - * to signal that an unsupported property may not be set with the specified value. + * Allows the user to set specific feature/property on the underlying + * implementation. The underlying implementation is not required to support + * every setting of every property in the specification and may use + * IllegalArgumentException to signal that an unsupported property may not be + * set with the specified value. + * <p> + * All implementations that implement JAXP 1.5 or newer are required to + * support the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} property. + * </p> + * <ul> + * <li> + * <p> + * Access to external DTDs, external Entity References is restricted to the + * protocols specified by the property. If access is denied during parsing + * due to the restriction of this property, {@link javax.xml.stream.XMLStreamException} + * will be thrown by the {@link javax.xml.stream.XMLStreamReader#next()} or + * {@link javax.xml.stream.XMLEventReader#nextEvent()} method. + * </p> + * </li> + * </ul> * @param name The name of the property (may not be null) * @param value The value of the property * @throws java.lang.IllegalArgumentException if the property is not supported
--- a/src/javax/xml/transform/FactoryFinder.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/transform/FactoryFinder.java Mon Jun 03 15:27:00 2013 +0200 @@ -43,6 +43,7 @@ * @author Huizhe.Wang@oracle.com */ class FactoryFinder { + private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xalan.internal."; /** * Internal debug flag. @@ -169,6 +170,14 @@ static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader, boolean useServicesMechanism) throws ConfigurationError { + // make sure we have access to restricted packages + if (System.getSecurityManager() != null) { + if (className != null && className.startsWith(DEFAULT_PACKAGE)) { + cl = null; + useBSClsLoader = true; + } + } + try { Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); Object instance = null; @@ -210,7 +219,7 @@ providerClass.getDeclaredMethod( "newTransformerFactoryNoServiceLoader" ); - return creationMethod.invoke(null, null); + return creationMethod.invoke(null, (Object[])null); } catch (NoSuchMethodException exc) { return null; } catch (Exception exc) {
--- a/src/javax/xml/transform/TransformerFactory.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/transform/TransformerFactory.java Mon Jun 03 15:27:00 2013 +0200 @@ -335,6 +335,46 @@ * be an option that the implementation provides. * An <code>IllegalArgumentException</code> is thrown if the underlying * implementation doesn't recognize the attribute. + * <p> + * All implementations that implement JAXP 1.5 or newer are required to + * support the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} and + * {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_STYLESHEET} properties. + * </p> + * <ul> + * <li> + * <p> + * Access to external DTDs in the source file is restricted to the protocols + * specified by the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} property. + * If access is denied during transformation due to the restriction of this property, + * {@link javax.xml.transform.TransformerException} will be thrown by + * {@link javax.xml.transform.Transformer#transform(Source, Result)}. + * </p> + * <p> + * Access to external DTDs in the stylesheet is restricted to the protocols + * specified by the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} property. + * If access is denied during the creation of a new transformer due to the + * restriction of this property, + * {@link javax.xml.transform.TransformerConfigurationException} will be thrown + * by the {@link #newTransformer(Source)} method. + * </p> + * <p> + * Access to external reference set by the stylesheet processing instruction, + * Import and Include element is restricted to the protocols specified by the + * {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_STYLESHEET} property. + * If access is denied during the creation of a new transformer due to the + * restriction of this property, + * {@link javax.xml.transform.TransformerConfigurationException} will be thrown + * by the {@link #newTransformer(Source)} method. + * </p> + * <p> + * Access to external document through XSLT document function is restricted + * to the protocols specified by the property. If access is denied during + * the transformation due to the restriction of this property, + * {@link javax.xml.transform.TransformerException} will be thrown by the + * {@link javax.xml.transform.Transformer#transform(Source, Result)} method. + * </p> + * </li> + * </ul> * * @param name The name of the attribute. * @param value The value of the attribute.
--- a/src/javax/xml/validation/SchemaFactory.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/validation/SchemaFactory.java Mon Jun 03 15:27:00 2013 +0200 @@ -386,8 +386,44 @@ * possible for a {@link SchemaFactory} to recognize a property name but * to be unable to change the current value.</p> * - * <p>{@link SchemaFactory}s are not required to recognize setting - * any specific property names.</p> + * <p> + * All implementations that implement JAXP 1.5 or newer are required to + * support the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} and + * {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_SCHEMA} properties. + * </p> + * <ul> + * <li> + * <p>Access to external DTDs in Schema files is restricted to the protocols + * specified by the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} property. + * If access is denied during the creation of new Schema due to the restriction + * of this property, {@link org.xml.sax.SAXException} will be thrown by the + * {@link #newSchema(Source)} or {@link #newSchema(File)} + * or {@link #newSchema(URL)} or or {@link #newSchema(Source[])} method.</p> + * + * <p>Access to external DTDs in xml source files is restricted to the protocols + * specified by the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} property. + * If access is denied during validation due to the restriction + * of this property, {@link org.xml.sax.SAXException} will be thrown by the + * {@link javax.xml.validation.Validator#validate(Source)} or + * {@link javax.xml.validation.Validator#validate(Source, Result)} method.</p> + * + * <p>Access to external reference set by the schemaLocation attribute is + * restricted to the protocols specified by the + * {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_SCHEMA} property. + * If access is denied during validation due to the restriction of this property, + * {@link org.xml.sax.SAXException} will be thrown by the + * {@link javax.xml.validation.Validator#validate(Source)} or + * {@link javax.xml.validation.Validator#validate(Source, Result)} method.</p> + * + * <p>Access to external reference set by the Import + * and Include element is restricted to the protocols specified by the + * {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_SCHEMA} property. + * If access is denied during the creation of new Schema due to the restriction + * of this property, {@link org.xml.sax.SAXException} will be thrown by the + * {@link #newSchema(Source)} or {@link #newSchema(File)} + * or {@link #newSchema(URL)} or {@link #newSchema(Source[])} method.</p> + * </li> + * </ul> * * @param name The property name, which is a non-null fully-qualified URI. * @param object The requested value for the property.
--- a/src/javax/xml/validation/SchemaFactoryFinder.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/validation/SchemaFactoryFinder.java Mon Jun 03 15:27:00 2013 +0200 @@ -54,6 +54,7 @@ *<p> Take care of restrictions imposed by java security model </p> */ private static SecuritySupport ss = new SecuritySupport(); + private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xerces.internal"; /** * <p>Cache properties for performance.</p> */ @@ -213,28 +214,6 @@ } } - /** - // try to read from $java.home/lib/jaxp.properties - try { - String javah = ss.getSystemProperty( "java.home" ); - String configFile = javah + File.separator + - "lib" + File.separator + "jaxp.properties"; - File f = new File( configFile ); - if( ss.doesFileExist(f)) { - sf = loadFromProperty( - propertyName,f.getAbsolutePath(), new FileInputStream(f)); - if(sf!=null) return sf; - } else { - debugPrintln("Tried to read "+ f.getAbsolutePath()+", but it doesn't exist."); - } - } catch(Throwable e) { - if( debug ) { - debugPrintln("failed to read $java.home/lib/jaxp.properties"); - e.printStackTrace(); - } - } - */ - // try META-INF/services files Iterator sitr = createServiceFileIterator(); while(sitr.hasNext()) { @@ -269,14 +248,20 @@ */ private Class createClass(String className) { Class clazz; + // make sure we have access to restricted packages + boolean internal = false; + if (System.getSecurityManager() != null) { + if (className != null && className.startsWith(DEFAULT_PACKAGE)) { + internal = true; + } + } - // use approprite ClassLoader try { - if (classLoader != null) { - clazz = classLoader.loadClass(className); - } else { - clazz = Class.forName(className); - } + if (classLoader != null && !internal) { + clazz = classLoader.loadClass(className); + } else { + clazz = Class.forName(className); + } } catch (Throwable t) { if(debug) t.printStackTrace(); return null; @@ -357,7 +342,7 @@ providerClass.getDeclaredMethod( "newXMLSchemaFactoryNoServiceLoader" ); - return creationMethod.invoke(null, null); + return creationMethod.invoke(null, (Object[])null); } catch (NoSuchMethodException exc) { return null; } catch (Exception exc) {
--- a/src/javax/xml/validation/Validator.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/validation/Validator.java Mon Jun 03 15:27:00 2013 +0200 @@ -440,8 +440,27 @@ * in specific contexts, such as before, during, or after * a validation.</p> * - * <p>{@link Validator}s are not required to recognize setting - * any specific property names.</p> + * <p> + * All implementations that implement JAXP 1.5 or newer are required to + * support the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} and + * {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_SCHEMA} properties. + * </p> + * <ul> + * <li> + * <p>Access to external DTDs in source or Schema file is restricted to + * the protocols specified by the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} + * property. If access is denied during validation due to the restriction + * of this property, {@link org.xml.sax.SAXException} will be thrown by the + * {@link #validate(Source)} method.</p> + * + * <p>Access to external reference set by the schemaLocation attribute is + * restricted to the protocols specified by the + * {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_SCHEMA} property. + * If access is denied during validation due to the restriction of this property, + * {@link org.xml.sax.SAXException} will be thrown by the + * {@link #validate(Source)} method.</p> + * </li> + * </ul> * * @param name The property name, which is a non-null fully-qualified URI. * @param object The requested value for the property.
--- a/src/javax/xml/xpath/XPathFactoryFinder.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/javax/xml/xpath/XPathFactoryFinder.java Mon Jun 03 15:27:00 2013 +0200 @@ -48,6 +48,7 @@ * @since 1.5 */ class XPathFactoryFinder { + private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xpath.internal"; private static SecuritySupport ss = new SecuritySupport() ; /** debug support code. */ @@ -246,18 +247,25 @@ */ private Class createClass(String className) { Class clazz; + // make sure we have access to restricted packages + boolean internal = false; + if (System.getSecurityManager() != null) { + if (className != null && className.startsWith(DEFAULT_PACKAGE)) { + internal = true; + } + } - // use approprite ClassLoader - try { - if (classLoader != null) { - clazz = classLoader.loadClass(className); - } else { - clazz = Class.forName(className); - } - } catch (Throwable t) { - if(debug) t.printStackTrace(); - return null; + // use approprite ClassLoader + try { + if (classLoader != null && !internal) { + clazz = classLoader.loadClass(className); + } else { + clazz = Class.forName(className); } + } catch (Throwable t) { + if(debug) t.printStackTrace(); + return null; + } return clazz; } @@ -333,7 +341,7 @@ providerClass.getDeclaredMethod( "newXPathFactoryNoServiceLoader" ); - return creationMethod.invoke(null, null); + return creationMethod.invoke(null, (Object[])null); } catch (NoSuchMethodException exc) { return null; } catch (Exception exc) {
--- a/src/org/w3c/dom/bootstrap/DOMImplementationRegistry.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/org/w3c/dom/bootstrap/DOMImplementationRegistry.java Mon Jun 03 15:27:00 2013 +0200 @@ -104,6 +104,8 @@ */ private static final String FALLBACK_CLASS = "com.sun.org.apache.xerces.internal.dom.DOMXSImplementationSourceImpl"; + private static final String DEFAULT_PACKAGE = + "com.sun.org.apache.xerces.internal.dom"; /** * Private constructor. * @param srcs Vector List of DOMImplementationSources @@ -168,10 +170,15 @@ StringTokenizer st = new StringTokenizer(p); while (st.hasMoreTokens()) { String sourceName = st.nextToken(); - // Use context class loader, falling back to Class.forName - // if and only if this fails... + // make sure we have access to restricted packages + boolean internal = false; + if (System.getSecurityManager() != null) { + if (sourceName != null && sourceName.startsWith(DEFAULT_PACKAGE)) { + internal = true; + } + } Class sourceClass = null; - if (classLoader != null) { + if (classLoader != null && !internal) { sourceClass = classLoader.loadClass(sourceName); } else { sourceClass = Class.forName(sourceName);
--- a/src/org/xml/sax/helpers/NewInstance.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/org/xml/sax/helpers/NewInstance.java Mon Jun 03 15:27:00 2013 +0200 @@ -54,9 +54,10 @@ * including versions of Java 2.</p> * * @author Edwin Goei, David Brownell + * @version 2.0.1 (sax2r2) */ class NewInstance { - + private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xerces.internal"; /** * Creates a new instance of the specified class name * @@ -66,8 +67,16 @@ throws ClassNotFoundException, IllegalAccessException, InstantiationException { + // make sure we have access to restricted packages + boolean internal = false; + if (System.getSecurityManager() != null) { + if (className != null && className.startsWith(DEFAULT_PACKAGE)) { + internal = true; + } + } + Class driverClass; - if (classLoader == null) { + if (classLoader == null || internal) { driverClass = Class.forName(className); } else { driverClass = classLoader.loadClass(className); @@ -75,29 +84,4 @@ return driverClass.newInstance(); } - /** - * Figure out which ClassLoader to use. For JDK 1.2 and later use - * the context ClassLoader. - */ - static ClassLoader getClassLoader () - { - Method m = null; - - try { - m = Thread.class.getMethod("getContextClassLoader", (Class[]) null); - } catch (NoSuchMethodException e) { - // Assume that we are running JDK 1.1, use the current ClassLoader - return NewInstance.class.getClassLoader(); - } - - try { - return (ClassLoader) m.invoke(Thread.currentThread(), (Object[]) null); - } catch (IllegalAccessException e) { - // assert(false) - throw new UnknownError(e.getMessage()); - } catch (InvocationTargetException e) { - // assert(e.getTargetException() instanceof SecurityException) - throw new UnknownError(e.getMessage()); - } - } }
--- a/src/org/xml/sax/helpers/ParserAdapter.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/org/xml/sax/helpers/ParserAdapter.java Mon Jun 03 15:27:00 2013 +0200 @@ -74,13 +74,14 @@ * * @since SAX 2.0 * @author David Megginson + * @version 2.0.1 (sax2r2) * @see org.xml.sax.helpers.XMLReaderAdapter * @see org.xml.sax.XMLReader * @see org.xml.sax.Parser */ public class ParserAdapter implements XMLReader, DocumentHandler { - + private static SecuritySupport ss = new SecuritySupport(); //////////////////////////////////////////////////////////////////// // Constructors. @@ -102,7 +103,7 @@ { super(); - String driver = System.getProperty("org.xml.sax.parser"); + String driver = ss.getSystemProperty("org.xml.sax.parser"); try { setup(ParserFactory.makeParser());
--- a/src/org/xml/sax/helpers/ParserFactory.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/org/xml/sax/helpers/ParserFactory.java Mon Jun 03 15:27:00 2013 +0200 @@ -30,12 +30,6 @@ package org.xml.sax.helpers; -import java.lang.ClassNotFoundException; -import java.lang.IllegalAccessException; -import java.lang.InstantiationException; -import java.lang.SecurityException; -import java.lang.ClassCastException; - import org.xml.sax.Parser; @@ -69,9 +63,10 @@ * interface. * @since SAX 1.0 * @author David Megginson + * @version 2.0.1 (sax2r2) */ public class ParserFactory { - + private static SecuritySupport ss = new SecuritySupport(); /** * Private null constructor. @@ -109,7 +104,7 @@ NullPointerException, ClassCastException { - String className = System.getProperty("org.xml.sax.parser"); + String className = ss.getSystemProperty("org.xml.sax.parser"); if (className == null) { throw new NullPointerException("No value for sax.parser property"); } else { @@ -146,7 +141,7 @@ ClassCastException { return (Parser) NewInstance.newInstance ( - NewInstance.getClassLoader (), className); + ss.getContextClassLoader(), className); } }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/org/xml/sax/helpers/SecuritySupport.java Mon Jun 03 15:27:00 2013 +0200 @@ -0,0 +1,108 @@ +/* + * Copyright (c) 2004, 2006, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package org.xml.sax.helpers; + +import java.io.*; +import java.security.*; + +/** + * This class is duplicated for each JAXP subpackage so keep it in sync. + * It is package private and therefore is not exposed as part of the JAXP + * API. + * + * Security related methods that only work on J2SE 1.2 and newer. + */ +class SecuritySupport { + + + ClassLoader getContextClassLoader() throws SecurityException{ + return (ClassLoader) + AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + ClassLoader cl = null; + //try { + cl = Thread.currentThread().getContextClassLoader(); + //} catch (SecurityException ex) { } + + if (cl == null) + cl = ClassLoader.getSystemClassLoader(); + + return cl; + } + }); + } + + String getSystemProperty(final String propName) { + return (String) + AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + return System.getProperty(propName); + } + }); + } + + FileInputStream getFileInputStream(final File file) + throws FileNotFoundException + { + try { + return (FileInputStream) + AccessController.doPrivileged(new PrivilegedExceptionAction() { + public Object run() throws FileNotFoundException { + return new FileInputStream(file); + } + }); + } catch (PrivilegedActionException e) { + throw (FileNotFoundException)e.getException(); + } + } + + InputStream getResourceAsStream(final ClassLoader cl, + final String name) + { + return (InputStream) + AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + InputStream ris; + if (cl == null) { + ris = Object.class.getResourceAsStream(name); + } else { + ris = cl.getResourceAsStream(name); + } + return ris; + } + }); + } + + boolean doesFileExist(final File f) { + return ((Boolean) + AccessController.doPrivileged(new PrivilegedAction() { + public Object run() { + return new Boolean(f.exists()); + } + })).booleanValue(); + } + +}
--- a/src/org/xml/sax/helpers/XMLReaderFactory.java Tue Mar 12 09:57:47 2013 +0100 +++ b/src/org/xml/sax/helpers/XMLReaderFactory.java Mon Jun 03 15:27:00 2013 +0200 @@ -34,8 +34,6 @@ import java.io.BufferedReader; import java.io.InputStream; import java.io.InputStreamReader; -import java.security.AccessController; -import java.security.PrivilegedAction; import org.xml.sax.XMLReader; import org.xml.sax.SAXException; @@ -85,8 +83,8 @@ } private static final String property = "org.xml.sax.driver"; + private static SecuritySupport ss = new SecuritySupport(); - private static String _clsFromJar = null; private static boolean _jarread = false; /** * Attempt to create an XMLReader from system defaults. @@ -134,43 +132,45 @@ throws SAXException { String className = null; - ClassLoader loader = NewInstance.getClassLoader (); + ClassLoader cl = ss.getContextClassLoader(); // 1. try the JVM-instance-wide system property - try { className = System.getProperty (property); } - catch (RuntimeException e) { /* normally fails for applets */ } + try { + className = ss.getSystemProperty(property); + } + catch (RuntimeException e) { /* continue searching */ } // 2. if that fails, try META-INF/services/ if (className == null) { if (!_jarread) { - final ClassLoader loader1 = loader; _jarread = true; - _clsFromJar = (String) - AccessController.doPrivileged(new PrivilegedAction() { - public Object run() { - String clsName = null; - try { - String service = "META-INF/services/" + property; - InputStream in; - BufferedReader reader; - if (loader1 == null) - in = ClassLoader.getSystemResourceAsStream (service); - else - in = loader1.getResourceAsStream (service); + String service = "META-INF/services/" + property; + InputStream in; + BufferedReader reader; + + try { + if (cl != null) { + in = ss.getResourceAsStream(cl, service); - if (in != null) { - reader = new BufferedReader ( - new InputStreamReader (in, "UTF8")); - clsName = reader.readLine (); - in.close (); - } - } catch (Exception e) { + // If no provider found then try the current ClassLoader + if (in == null) { + cl = null; + in = ss.getResourceAsStream(cl, service); } - return clsName; + } else { + // No Context ClassLoader, try the current ClassLoader + in = ss.getResourceAsStream(cl, service); } - }); + + if (in != null) { + reader = new BufferedReader ( + new InputStreamReader (in, "UTF8")); + className = reader.readLine (); + in.close (); + } + } catch (Exception e) { + } } - className = _clsFromJar; } // 3. Distro-specific fallback @@ -187,7 +187,7 @@ // do we know the XMLReader implementation class yet? if (className != null) - return loadClass (loader, className); + return loadClass (cl, className); // 4. panic -- adapt any SAX1 parser try { @@ -217,7 +217,7 @@ public static XMLReader createXMLReader (String className) throws SAXException { - return loadClass (NewInstance.getClassLoader (), className); + return loadClass (ss.getContextClassLoader(), className); } private static XMLReader loadClass (ClassLoader loader, String className)