[jaxb~v2:88dfa4e1] JAXP 1.5: another external reference permissions added

  • From: snajper@...
  • To: commits@...
  • Subject: [jaxb~v2:88dfa4e1] JAXP 1.5: another external reference permissions added
  • Date: Sun, 25 Aug 2013 21:42:46 +0000

Project:    jaxb
Repository: v2
Revision:   88dfa4e167ff502429717b07721163fe1ed4cc9f
Author:     snajper
Date:       2013-08-25 21:32:10 UTC
Link:       

Log Message:
------------
JAXP 1.5: another external reference permissions added



Revisions:
----------
88dfa4e167ff502429717b07721163fe1ed4cc9f


Modified Paths:
---------------
jaxb-ri/core/src/main/java/com/sun/xml/bind/v2/util/XmlFactory.java
jaxb-ri/xjc/src/main/java/com/sun/tools/xjc/reader/xmlschema/parser/SchemaConstraintChecker.java


Diffs:
------
--- a/jaxb-ri/core/src/main/java/com/sun/xml/bind/v2/util/XmlFactory.java
+++ b/jaxb-ri/core/src/main/java/com/sun/xml/bind/v2/util/XmlFactory.java
@@ -69,6 +69,7 @@ public class XmlFactory {
 
     // not in older JDK, so must be duplicated here, otherwise 
javax.xml.XMLConstants should be used
     public static final String ACCESS_EXTERNAL_SCHEMA = 
"http://javax.xml.XMLConstants/property/accessExternalSchema";;
+    public static final String ACCESS_EXTERNAL_DTD = 
"http://javax.xml.XMLConstants/property/accessExternalDTD";;
 
     private static final Logger LOGGER = 
Logger.getLogger(XmlFactory.class.getName());
 
@@ -237,4 +238,35 @@ public class XmlFactory {
         return sf;
     }
 
+    public static SchemaFactory allowExternalDTDAccess(SchemaFactory sf, 
String value, boolean disableSecureProcessing) {
+
+        // if xml security (feature secure processing) disabled, nothing to 
do, no restrictions applied
+        if (isXMLSecurityDisabled(disableSecureProcessing)) {
+            if (LOGGER.isLoggable(Level.FINE)) {
+                LOGGER.log(Level.FINE, 
Messages.JAXP_XML_SECURITY_DISABLED.format());
+            }
+            return sf;
+        }
+
+        if (System.getProperty("javax.xml.accessExternalDTD") != null) {
+            if (LOGGER.isLoggable(Level.FINE)) {
+                LOGGER.log(Level.FINE, 
Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format());
+            }
+            return sf;
+        }
+
+        try {
+            sf.setProperty(ACCESS_EXTERNAL_DTD, value);
+            if (LOGGER.isLoggable(Level.FINE)) {
+                LOGGER.log(Level.FINE, 
Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD));
+            }
+        } catch (SAXException ignored) {
+            // nothing to do; support depends on version JDK or SAX 
implementation
+            if (LOGGER.isLoggable(Level.CONFIG)) {
+                LOGGER.log(Level.CONFIG, 
Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD), ignored);
+            }
+        }
+        return sf;
+    }
+
 }--- 
a/jaxb-ri/xjc/src/main/java/com/sun/tools/xjc/reader/xmlschema/parser/SchemaConstraintChecker.java
+++ 
b/jaxb-ri/xjc/src/main/java/com/sun/tools/xjc/reader/xmlschema/parser/SchemaConstraintChecker.java
@@ -84,6 +84,7 @@ public class SchemaConstraintChecker {
         boolean hadErrors = false;
 
         SchemaFactory sf = 
XmlFactory.createSchemaFactory(W3C_XML_SCHEMA_NS_URI, disableXmlSecurity);
+        XmlFactory.allowExternalAccess(sf, "all", disableXmlSecurity);
         sf.setErrorHandler(errorFilter);
         if( entityResolver != null ) {
             sf.setResourceResolver(new LSResourceResolver() {
@@ -106,6 +107,7 @@ public class SchemaConstraintChecker {
         }
 
         try {
+            XmlFactory.allowExternalDTDAccess(sf, "all", disableXmlSecurity);
             sf.newSchema(getSchemaSource(schemas, entityResolver));
         } catch (SAXException e) {
             // TODO: we haven't thrown exceptions from here before. should 
we just trap them and return false?





[jaxb~v2:88dfa4e1] JAXP 1.5: another external reference permissions added

snajper 08/25/2013
Terms of Use; Privacy Policy; Copyright ©2013-2015 (revision 20150226.965aeb8)
 
 
Close
loading
Please Confirm
Close