You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@xalan.apache.org by gg...@apache.org on 2014/03/24 21:55:15 UTC
svn commit: r1581058 - in
/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache:
xalan/processor/TransformerFactoryImpl.java
xalan/processor/XSLTElementProcessor.java
xalan/transformer/TransformerImpl.java
xpath/functions/FuncSystemProperty.java
Author: ggregory
Date: Mon Mar 24 20:55:14 2014
New Revision: 1581058
URL: http://svn.apache.org/r1581058
Log:
Commit patch to handle secure processing. Thank you Ryan Berg.
Modified:
xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/TransformerFactoryImpl.java
xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java
xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/transformer/TransformerImpl.java
xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xpath/functions/FuncSystemProperty.java
Modified: xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/TransformerFactoryImpl.java
URL: http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/TransformerFactoryImpl.java?rev=1581058&r1=1581057&r2=1581058&view=diff
==============================================================================
--- xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/TransformerFactoryImpl.java (original)
+++ xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/TransformerFactoryImpl.java Mon Mar 24 20:55:14 2014
@@ -326,6 +326,10 @@ public class TransformerFactoryImpl exte
reader = XMLReaderFactory.createXMLReader();
}
+ if(m_isSecureProcessing)
+ {
+ reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
+ }
// Need to set options!
reader.setContentHandler(handler);
reader.parse(isource);
Modified: xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java
URL: http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java?rev=1581058&r1=1581057&r2=1581058&view=diff
==============================================================================
--- xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java (original)
+++ xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java Mon Mar 24 20:55:14 2014
@@ -337,17 +337,31 @@ public class XSLTElementProcessor extend
}
else
{
- // Can we switch the order here:
-
- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
- attributes.getQName(i), attributes.getValue(i),
- target);
-
- // Now we only add the element if it passed a validation check
- if (success)
- processedDefs.add(attrDef);
+ //handle secure processing
+ if(handler.getStylesheetProcessor()==null)
+ System.out.println("stylesheet processor null");
+ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
+ {
+ //foreign attributes are not allowed in secure processing mode
+ // Then barf, because this element does not allow this attribute.
+ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
+ //+ " attribute is not allowed on the " + rawName
+ // + " element!", null);
+ }
else
- errorDefs.add(attrDef);
+ {
+
+
+ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+ attributes.getQName(i), attributes.getValue(i),
+ target);
+
+ // Now we only add the element if it passed a validation check
+ if (success)
+ processedDefs.add(attrDef);
+ else
+ errorDefs.add(attrDef);
+ }
}
}
Modified: xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/transformer/TransformerImpl.java
URL: http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/transformer/TransformerImpl.java?rev=1581058&r1=1581057&r2=1581058&view=diff
==============================================================================
--- xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/transformer/TransformerImpl.java (original)
+++ xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/transformer/TransformerImpl.java Mon Mar 24 20:55:14 2014
@@ -438,7 +438,9 @@ public class TransformerImpl extends Tra
try
{
if (sroot.getExtensions() != null)
- m_extensionsTable = new ExtensionsTable(sroot);
+ //only load extensions if secureProcessing is disabled
+ if(!sroot.isSecureProcessing())
+ m_extensionsTable = new ExtensionsTable(sroot);
}
catch (javax.xml.transform.TransformerException te)
{te.printStackTrace();}
Modified: xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xpath/functions/FuncSystemProperty.java
URL: http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xpath/functions/FuncSystemProperty.java?rev=1581058&r1=1581057&r2=1581058&view=diff
==============================================================================
--- xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xpath/functions/FuncSystemProperty.java (original)
+++ xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xpath/functions/FuncSystemProperty.java Mon Mar 24 20:55:14 2014
@@ -57,7 +57,7 @@ public class FuncSystemProperty extends
String fullName = m_arg0.execute(xctxt).str();
int indexOfNSSep = fullName.indexOf(':');
- String result;
+ String result = null;
String propName = "";
// List of properties where the name of the
@@ -97,14 +97,21 @@ public class FuncSystemProperty extends
try
{
- result = System.getProperty(propName);
-
- if (null == result)
- {
-
- // result = System.getenv(propName);
- return XString.EMPTYSTRING;
- }
+ //if secure procession is enabled only handle required properties do not not map any valid system property
+ if(!xctxt.isSecureProcessing())
+ {
+ result = System.getProperty(fullName);
+ }
+ else
+ {
+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
+ result = xsltInfo.getProperty(propName);
+ }
+ if (null == result)
+ {
+ return XString.EMPTYSTRING;
+ }
}
catch (SecurityException se)
{
@@ -119,14 +126,21 @@ public class FuncSystemProperty extends
{
try
{
- result = System.getProperty(fullName);
-
- if (null == result)
- {
-
- // result = System.getenv(fullName);
- return XString.EMPTYSTRING;
- }
+ //if secure procession is enabled only handle required properties do not not map any valid system property
+ if(!xctxt.isSecureProcessing())
+ {
+ result = System.getProperty(fullName);
+ }
+ else
+ {
+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
+ result = xsltInfo.getProperty(propName);
+ }
+ if (null == result)
+ {
+ return XString.EMPTYSTRING;
+ }
}
catch (SecurityException se)
{
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@xalan.apache.org
For additional commands, e-mail: commits-help@xalan.apache.org