/hg/release/icedtea7-forest-2.4/jaxp: 5 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Tue Oct 15 16:03:05 PDT 2013
changeset fa7391b1cb53 in /hg/release/icedtea7-forest-2.4/jaxp
details: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.4/jaxp?cmd=changeset;node=fa7391b1cb53
author: joehw
date: Thu Jul 11 09:01:18 2013 -0700
8013503: Improve stream factories
Reviewed-by: alanb, dfuchs, mullan
changeset e9af60ad2582 in /hg/release/icedtea7-forest-2.4/jaxp
details: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.4/jaxp?cmd=changeset;node=e9af60ad2582
author: joehw
date: Wed Oct 09 21:24:38 2013 +0100
8012425: Transform TransformerFactory
Reviewed-by: alanb, dfuchs, mullan
changeset 48a0c5216d21 in /hg/release/icedtea7-forest-2.4/jaxp
details: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.4/jaxp?cmd=changeset;node=48a0c5216d21
author: joehw
date: Thu Oct 10 01:18:45 2013 +0100
8017298: Better XML support
Reviewed-by: alanb, dfuchs, mullan
changeset 1dbd732765d0 in /hg/release/icedtea7-forest-2.4/jaxp
details: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.4/jaxp?cmd=changeset;node=1dbd732765d0
author: joehw
date: Thu Oct 10 02:08:57 2013 +0100
8014530: Better digital signature processing
Reviewed-by: alanb, dfuchs, mullan, lancea
changeset 9230de21402d in /hg/release/icedtea7-forest-2.4/jaxp
details: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.4/jaxp?cmd=changeset;node=9230de21402d
author: andrew
date: Mon Oct 14 14:04:51 2013 +0100
SchemaParsingConfig also needs to be updated to initialise a SECURITY_MANAGER
diffstat:
src/com/sun/org/apache/xalan/internal/XalanConstants.java | 131 ++-
src/com/sun/org/apache/xalan/internal/utils/XMLSecurityManager.java | 449 ++++++++
src/com/sun/org/apache/xalan/internal/utils/XMLSecurityPropertyManager.java | 33 +
src/com/sun/org/apache/xalan/internal/xsltc/compiler/Import.java | 2 +-
src/com/sun/org/apache/xalan/internal/xsltc/compiler/Include.java | 2 +-
src/com/sun/org/apache/xalan/internal/xsltc/compiler/Parser.java | 17 +-
src/com/sun/org/apache/xalan/internal/xsltc/compiler/XSLTC.java | 11 +-
src/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesHandlerImpl.java | 4 +-
src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java | 37 +-
src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java | 6 +
src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java | 25 +
src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java | 8 +
src/com/sun/org/apache/xerces/internal/impl/Constants.java | 108 +-
src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java | 24 +-
src/com/sun/org/apache/xerces/internal/impl/XML11NSDocumentScannerImpl.java | 4 +-
src/com/sun/org/apache/xerces/internal/impl/XMLDTDScannerImpl.java | 64 +-
src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java | 72 +-
src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java | 62 +-
src/com/sun/org/apache/xerces/internal/impl/XMLNSDocumentScannerImpl.java | 4 +-
src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java | 54 +-
src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties | 11 +-
src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java | 22 +-
src/com/sun/org/apache/xerces/internal/impl/xs/opti/SchemaParsingConfig.java | 8 +-
src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java | 3 +-
src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java | 6 +-
src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java | 29 +-
src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java | 77 +-
src/com/sun/org/apache/xerces/internal/jaxp/validation/StAXValidatorHelper.java | 14 +
src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java | 37 +-
src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java | 6 +-
src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java | 31 +-
src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java | 51 +-
src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java | 37 +-
src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java | 14 +-
src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java | 5 +-
src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java | 79 +-
src/com/sun/org/apache/xerces/internal/util/SecurityManager.java | 226 ----
src/com/sun/org/apache/xerces/internal/util/SymbolTable.java | 4 +-
src/com/sun/org/apache/xerces/internal/utils/XMLLimitAnalyzer.java | 236 ++++
src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java | 521 ++++++++++
src/com/sun/org/apache/xerces/internal/utils/XMLSecurityPropertyManager.java | 35 +
src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java | 10 +-
src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java | 46 +-
src/com/sun/xml/internal/stream/Entity.java | 2 +-
src/javax/xml/stream/FactoryFinder.java | 23 +-
src/javax/xml/stream/XMLEventFactory.java | 14 +-
src/javax/xml/stream/XMLInputFactory.java | 15 +-
src/javax/xml/stream/XMLOutputFactory.java | 13 +-
48 files changed, 2167 insertions(+), 525 deletions(-)
diffs (truncated from 4420 to 500 lines):
diff -r 9d462cfc07bf -r 9230de21402d src/com/sun/org/apache/xalan/internal/XalanConstants.java
--- a/src/com/sun/org/apache/xalan/internal/XalanConstants.java Thu Sep 05 15:10:37 2013 +0100
+++ b/src/com/sun/org/apache/xalan/internal/XalanConstants.java Mon Oct 14 14:04:51 2013 +0100
@@ -39,33 +39,138 @@
//
// Constants
//
+ //Xerces security manager
+ public static final String SECURITY_MANAGER =
+ "http://apache.org/xml/properties/security-manager";
+
+ //
+ // Implementation limits: API properties
+ //
+ /** Oracle JAXP property prefix ("http://www.oracle.com/xml/jaxp/properties/"). */
+ public static final String ORACLE_JAXP_PROPERTY_PREFIX =
+ "http://www.oracle.com/xml/jaxp/properties/";
+ /**
+ * JDK entity expansion limit; Note that the existing system property
+ * "entityExpansionLimit" with no prefix is still observed
+ */
+ public static final String JDK_ENTITY_EXPANSION_LIMIT =
+ ORACLE_JAXP_PROPERTY_PREFIX + "entityExpansionLimit";
+
+ /**
+ * JDK element attribute limit; Note that the existing system property
+ * "elementAttributeLimit" with no prefix is still observed
+ */
+ public static final String JDK_ELEMENT_ATTRIBUTE_LIMIT =
+ ORACLE_JAXP_PROPERTY_PREFIX + "elementAttributeLimit";
+
+ /**
+ * JDK maxOccur limit; Note that the existing system property
+ * "maxOccurLimit" with no prefix is still observed
+ */
+ public static final String JDK_MAX_OCCUR_LIMIT =
+ ORACLE_JAXP_PROPERTY_PREFIX + "maxOccurLimit";
+
+ /**
+ * JDK total entity size limit
+ */
+ public static final String JDK_TOTAL_ENTITY_SIZE_LIMIT =
+ ORACLE_JAXP_PROPERTY_PREFIX + "totalEntitySizeLimit";
+
+ /**
+ * JDK maximum general entity size limit
+ */
+ public static final String JDK_GENEAL_ENTITY_SIZE_LIMIT =
+ ORACLE_JAXP_PROPERTY_PREFIX + "maxGeneralEntitySizeLimit";
+ /**
+ * JDK maximum parameter entity size limit
+ */
+ public static final String JDK_PARAMETER_ENTITY_SIZE_LIMIT =
+ ORACLE_JAXP_PROPERTY_PREFIX + "maxParameterEntitySizeLimit";
+ /**
+ * JDK maximum XML name limit
+ */
+ public static final String JDK_XML_NAME_LIMIT =
+ ORACLE_JAXP_PROPERTY_PREFIX + "maxXMLNameLimit";
+ /**
+ * JDK property indicating whether the parser shall print out entity
+ * count information
+ * Value: a string "yes" means print, "no" or any other string means not.
+ */
+ public static final String JDK_ENTITY_COUNT_INFO =
+ ORACLE_JAXP_PROPERTY_PREFIX + "getEntityCountInfo";
+
+ //
+ // Implementation limits: corresponding System Properties of the above
+ // API properties
+ //
+ /**
+ * JDK entity expansion limit; Note that the existing system property
+ * "entityExpansionLimit" with no prefix is still observed
+ */
+ public static final String SP_ENTITY_EXPANSION_LIMIT = "jdk.xml.entityExpansionLimit";
+
+ /**
+ * JDK element attribute limit; Note that the existing system property
+ * "elementAttributeLimit" with no prefix is still observed
+ */
+ public static final String SP_ELEMENT_ATTRIBUTE_LIMIT = "jdk.xml.elementAttributeLimit";
+
+ /**
+ * JDK maxOccur limit; Note that the existing system property
+ * "maxOccurLimit" with no prefix is still observed
+ */
+ public static final String SP_MAX_OCCUR_LIMIT = "jdk.xml.maxOccurLimit";
+
+ /**
+ * JDK total entity size limit
+ */
+ public static final String SP_TOTAL_ENTITY_SIZE_LIMIT = "jdk.xml.totalEntitySizeLimit";
+
+ /**
+ * JDK maximum general entity size limit
+ */
+ public static final String SP_GENEAL_ENTITY_SIZE_LIMIT = "jdk.xml.maxGeneralEntitySizeLimit";
+ /**
+ * JDK maximum parameter entity size limit
+ */
+ public static final String SP_PARAMETER_ENTITY_SIZE_LIMIT = "jdk.xml.maxParameterEntitySizeLimit";
+ /**
+ * JDK maximum XML name limit
+ */
+ public static final String SP_XML_NAME_LIMIT = "jdk.xml.maxXMLNameLimit";
+
+ //legacy System Properties
+ public final static String ENTITY_EXPANSION_LIMIT = "entityExpansionLimit";
+ public static final String ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ;
+ public final static String MAX_OCCUR_LIMIT = "maxOccurLimit";
+
+ /**
+ * A string "yes" that can be used for properties such as getEntityCountInfo
+ */
+ public static final String JDK_YES = "yes";
+
// Oracle Feature:
- /**
- * <p>Use Service Mechanism</p>
- *
- * <ul>
- * <li>
+ /**
+ * <p>Use Service Mechanism</p>
+ *
+ * <ul>
+ * <li>
* {@code true} instruct an object to use service mechanism to
* find a service implementation. This is the default behavior.
* </li>
* <li>
* {@code false} instruct an object to skip service mechanism and
* use the default implementation for that service.
- * </li>
- * </ul>
- */
-
+ * </li>
+ * </ul>
+ */
public static final String ORACLE_FEATURE_SERVICE_MECHANISM = "http://www.oracle.com/feature/use-service-mechanism";
- /** Oracle JAXP property prefix ("http://www.oracle.com/xml/jaxp/properties/"). */
- public static final String ORACLE_JAXP_PROPERTY_PREFIX =
- "http://www.oracle.com/xml/jaxp/properties/";
//System Properties corresponding to ACCESS_EXTERNAL_* properties
public static final String SP_ACCESS_EXTERNAL_STYLESHEET = "javax.xml.accessExternalStylesheet";
public static final String SP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD";
-
//all access keyword
public static final String ACCESS_EXTERNAL_ALL = "all";
diff -r 9d462cfc07bf -r 9230de21402d src/com/sun/org/apache/xalan/internal/utils/XMLSecurityManager.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityManager.java Mon Oct 14 14:04:51 2013 +0100
@@ -0,0 +1,449 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License"). You
+ * may not use this file except in compliance with the License. You can
+ * obtain a copy of the License at
+ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt. See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license." If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above. However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package com.sun.org.apache.xalan.internal.utils;
+
+import com.sun.org.apache.xalan.internal.XalanConstants;
+
+
+/**
+ * This class is not the same as that in Xerces. It is used to manage the
+ * state of corresponding Xerces properties and pass the values over to
+ * the Xerces Security Manager.
+ *
+ * @author Joe Wang Oracle Corp.
+ *
+ */
+public final class XMLSecurityManager {
+
+ /**
+ * States of the settings of a property, in the order: default value, value
+ * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
+ * properties, and jaxp api properties
+ */
+ public static enum State {
+ //this order reflects the overriding order
+
+ DEFAULT("default"), FSP("FEATURE_SECURE_PROCESSING"),
+ JAXPDOTPROPERTIES("jaxp.properties"), SYSTEMPROPERTY("system property"),
+ APIPROPERTY("property");
+
+ final String literal;
+ State(String literal) {
+ this.literal = literal;
+ }
+
+ String literal() {
+ return literal;
+ }
+ }
+
+ /**
+ * Limits managed by the security manager
+ */
+ public static enum Limit {
+
+ ENTITY_EXPANSION_LIMIT(XalanConstants.JDK_ENTITY_EXPANSION_LIMIT,
+ XalanConstants.SP_ENTITY_EXPANSION_LIMIT, 0, 64000),
+ MAX_OCCUR_NODE_LIMIT(XalanConstants.JDK_MAX_OCCUR_LIMIT,
+ XalanConstants.SP_MAX_OCCUR_LIMIT, 0, 5000),
+ ELEMENT_ATTRIBUTE_LIMIT(XalanConstants.JDK_ELEMENT_ATTRIBUTE_LIMIT,
+ XalanConstants.SP_ELEMENT_ATTRIBUTE_LIMIT, 0, 10000),
+ TOTAL_ENTITY_SIZE_LIMIT(XalanConstants.JDK_TOTAL_ENTITY_SIZE_LIMIT,
+ XalanConstants.SP_TOTAL_ENTITY_SIZE_LIMIT, 0, 50000000),
+ GENEAL_ENTITY_SIZE_LIMIT(XalanConstants.JDK_GENEAL_ENTITY_SIZE_LIMIT,
+ XalanConstants.SP_GENEAL_ENTITY_SIZE_LIMIT, 0, 0),
+ PARAMETER_ENTITY_SIZE_LIMIT(XalanConstants.JDK_PARAMETER_ENTITY_SIZE_LIMIT,
+ XalanConstants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000);
+
+ final String apiProperty;
+ final String systemProperty;
+ final int defaultValue;
+ final int secureValue;
+
+ Limit(String apiProperty, String systemProperty, int value, int secureValue) {
+ this.apiProperty = apiProperty;
+ this.systemProperty = systemProperty;
+ this.defaultValue = value;
+ this.secureValue = secureValue;
+ }
+
+ public boolean equalsAPIPropertyName(String propertyName) {
+ return (propertyName == null) ? false : apiProperty.equals(propertyName);
+ }
+
+ public boolean equalsSystemPropertyName(String propertyName) {
+ return (propertyName == null) ? false : systemProperty.equals(propertyName);
+ }
+
+ public String apiProperty() {
+ return apiProperty;
+ }
+
+ String systemProperty() {
+ return systemProperty;
+ }
+
+ int defaultValue() {
+ return defaultValue;
+ }
+
+ int secureValue() {
+ return secureValue;
+ }
+ }
+
+ /**
+ * Map old property names with the new ones
+ */
+ public static enum NameMap {
+
+ ENTITY_EXPANSION_LIMIT(XalanConstants.SP_ENTITY_EXPANSION_LIMIT,
+ XalanConstants.ENTITY_EXPANSION_LIMIT),
+ MAX_OCCUR_NODE_LIMIT(XalanConstants.SP_MAX_OCCUR_LIMIT,
+ XalanConstants.MAX_OCCUR_LIMIT),
+ ELEMENT_ATTRIBUTE_LIMIT(XalanConstants.SP_ELEMENT_ATTRIBUTE_LIMIT,
+ XalanConstants.ELEMENT_ATTRIBUTE_LIMIT);
+ final String newName;
+ final String oldName;
+
+ NameMap(String newName, String oldName) {
+ this.newName = newName;
+ this.oldName = oldName;
+ }
+
+ String getOldName(String newName) {
+ if (newName.equals(this.newName)) {
+ return oldName;
+ }
+ return null;
+ }
+ }
+ /**
+ * Values of the properties
+ */
+ private final int[] values;
+ /**
+ * States of the settings for each property
+ */
+ private State[] states;
+ /**
+ * States that determine if properties are set explicitly
+ */
+ private boolean[] isSet;
+
+
+ /**
+ * Index of the special entityCountInfo property
+ */
+ private int indexEntityCountInfo = 10000;
+ private String printEntityCountInfo = "";
+
+ /**
+ * Default constructor. Establishes default values for known security
+ * vulnerabilities.
+ */
+ public XMLSecurityManager() {
+ this(false);
+ }
+
+ /**
+ * Instantiate Security Manager in accordance with the status of
+ * secure processing
+ * @param secureProcessing
+ */
+ public XMLSecurityManager(boolean secureProcessing) {
+ values = new int[Limit.values().length];
+ states = new State[Limit.values().length];
+ isSet = new boolean[Limit.values().length];
+ for (Limit limit : Limit.values()) {
+ if (secureProcessing) {
+ values[limit.ordinal()] = limit.secureValue();
+ states[limit.ordinal()] = State.FSP;
+ } else {
+ values[limit.ordinal()] = limit.defaultValue();
+ states[limit.ordinal()] = State.DEFAULT;
+ }
+ }
+ //read system properties or jaxp.properties
+ readSystemProperties();
+ }
+
+ /**
+ * Setting FEATURE_SECURE_PROCESSING explicitly
+ */
+ public void setSecureProcessing(boolean secure) {
+ for (Limit limit : Limit.values()) {
+ if (secure) {
+ setLimit(limit.ordinal(), State.FSP, limit.secureValue());
+ } else {
+ setLimit(limit.ordinal(), State.FSP, limit.defaultValue());
+ }
+ }
+ }
+
+ /**
+ * Set limit by property name and state
+ * @param propertyName property name
+ * @param state the state of the property
+ * @param value the value of the property
+ * @return true if the property is managed by the security manager; false
+ * if otherwise.
+ */
+ public boolean setLimit(String propertyName, State state, Object value) {
+ int index = getIndex(propertyName);
+ if (index > -1) {
+ setLimit(index, state, value);
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * Set the value for a specific limit.
+ *
+ * @param limit the limit
+ * @param state the state of the property
+ * @param value the value of the property
+ */
+ public void setLimit(Limit limit, State state, int value) {
+ setLimit(limit.ordinal(), state, value);
+ }
+
+ /**
+ * Set the value of a property by its index
+ *
+ * @param index the index of the property
+ * @param state the state of the property
+ * @param value the value of the property
+ */
+ public void setLimit(int index, State state, Object value) {
+ if (index == indexEntityCountInfo) {
+ //if it's explicitly set, it's treated as yes no matter the value
+ printEntityCountInfo = (String)value;
+ } else {
+ int temp = 0;
+ try {
+ temp = Integer.parseInt((String) value);
+ if (temp < 0) {
+ temp = 0;
+ }
+ } catch (NumberFormatException e) {}
+ setLimit(index, state, temp); }
+ }
+
+ /**
+ * Set the value of a property by its index
+ *
+ * @param index the index of the property
+ * @param state the state of the property
+ * @param value the value of the property
+ */
+ public void setLimit(int index, State state, int value) {
+ if (index == indexEntityCountInfo) {
+ //if it's explicitly set, it's treated as yes no matter the value
+ printEntityCountInfo = XalanConstants.JDK_YES;
+ } else {
+ //only update if it shall override
+ if (state.compareTo(states[index]) >= 0) {
+ values[index] = value;
+ states[index] = state;
+ isSet[index] = true;
+ }
+ }
+ }
+
+
+ /**
+ * Return the value of the specified property.
+ *
+ * @param propertyName the property name
+ * @return the value of the property as a string. If a property is managed
+ * by this manager, its value shall not be null.
+ */
+ public String getLimitAsString(String propertyName) {
+ int index = getIndex(propertyName);
+ if (index > -1) {
+ return getLimitValueByIndex(index);
+ }
+
+ return null;
+ }
+
+ /**
+ * Return the value of a property by its ordinal
+ *
+ * @param limit the property
+ * @return value of a property
+ */
+ public String getLimitValueAsString(Limit limit) {
+ return Integer.toString(values[limit.ordinal()]);
+ }
+
+ /**
+ * Return the value of the specified property
+ *
+ * @param limit the property
+ * @return the value of the property
+ */
+ public int getLimit(Limit limit) {
+ return values[limit.ordinal()];
+ }
+
+ /**
+ * Return the value of a property by its ordinal
+ *
+ * @param index the index of a property
+ * @return value of a property
+ */
+ public int getLimitByIndex(int index) {
+ return values[index];
+ }
+ /**
+ * Return the value of a property by its index
+ *
+ * @param index the index of a property
More information about the distro-pkg-dev
mailing list