|
 |
5d186e |
diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
|
|
|
5d186e |
index 1298943..96a5e58 100644
|
|
|
5d186e |
--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
|
|
|
5d186e |
+++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
|
|
|
5d186e |
@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory
|
|
|
5d186e |
reader = XMLReaderFactory.createXMLReader();
|
|
|
5d186e |
}
|
|
|
5d186e |
|
|
|
5d186e |
+ if(m_isSecureProcessing)
|
|
|
5d186e |
+ {
|
|
|
5d186e |
+ reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
|
|
|
5d186e |
+ }
|
|
|
5d186e |
// Need to set options!
|
|
|
5d186e |
reader.setContentHandler(handler);
|
|
|
5d186e |
reader.parse(isource);
|
|
|
5d186e |
diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java
|
|
|
5d186e |
index b946743..17b7395 100644
|
|
|
5d186e |
--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
|
|
|
5d186e |
+++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
|
|
|
5d186e |
@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement
|
|
|
5d186e |
}
|
|
|
5d186e |
else
|
|
|
5d186e |
{
|
|
|
5d186e |
- // Can we switch the order here:
|
|
|
5d186e |
-
|
|
|
5d186e |
- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
|
|
|
5d186e |
- attributes.getQName(i), attributes.getValue(i),
|
|
|
5d186e |
- target);
|
|
|
5d186e |
-
|
|
|
5d186e |
- // Now we only add the element if it passed a validation check
|
|
|
5d186e |
- if (success)
|
|
|
5d186e |
- processedDefs.add(attrDef);
|
|
|
5d186e |
- else
|
|
|
5d186e |
- errorDefs.add(attrDef);
|
|
|
5d186e |
+ //handle secure processing
|
|
|
5d186e |
+ if(handler.getStylesheetProcessor()==null)
|
|
|
5d186e |
+ System.out.println("stylesheet processor null");
|
|
|
5d186e |
+ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
|
|
|
5d186e |
+ {
|
|
|
5d186e |
+ //foreign attributes are not allowed in secure processing mode
|
|
|
5d186e |
+ // Then barf, because this element does not allow this attribute.
|
|
|
5d186e |
+ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
|
|
|
5d186e |
+ //+ " attribute is not allowed on the " + rawName
|
|
|
5d186e |
+ // + " element!", null);
|
|
|
5d186e |
+ }
|
|
|
5d186e |
+ else
|
|
|
5d186e |
+ {
|
|
|
5d186e |
+
|
|
|
5d186e |
+
|
|
|
5d186e |
+ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
|
|
|
5d186e |
+ attributes.getQName(i), attributes.getValue(i),
|
|
|
5d186e |
+ target);
|
|
|
5d186e |
+
|
|
|
5d186e |
+ // Now we only add the element if it passed a validation check
|
|
|
5d186e |
+ if (success)
|
|
|
5d186e |
+ processedDefs.add(attrDef);
|
|
|
5d186e |
+ else
|
|
|
5d186e |
+ errorDefs.add(attrDef);
|
|
|
5d186e |
+ }
|
|
|
5d186e |
}
|
|
|
5d186e |
}
|
|
|
5d186e |
|
|
|
5d186e |
diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java
|
|
|
5d186e |
index dd0d4d9..0906d24 100644
|
|
|
5d186e |
--- a/src/org/apache/xalan/transformer/TransformerImpl.java
|
|
|
5d186e |
+++ b/src/org/apache/xalan/transformer/TransformerImpl.java
|
|
|
5d186e |
@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer
|
|
|
5d186e |
try
|
|
|
5d186e |
{
|
|
|
5d186e |
if (sroot.getExtensions() != null)
|
|
|
5d186e |
- m_extensionsTable = new ExtensionsTable(sroot);
|
|
|
5d186e |
+ //only load extensions if secureProcessing is disabled
|
|
|
5d186e |
+ if(!sroot.isSecureProcessing())
|
|
|
5d186e |
+ m_extensionsTable = new ExtensionsTable(sroot);
|
|
|
5d186e |
}
|
|
|
5d186e |
catch (javax.xml.transform.TransformerException te)
|
|
|
5d186e |
{te.printStackTrace();}
|
|
|
5d186e |
diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java
|
|
|
5d186e |
index 4bea356..78ac980 100644
|
|
|
5d186e |
--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
|
|
|
5d186e |
+++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
|
|
|
5d186e |
@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg
|
|
|
5d186e |
|
|
|
5d186e |
String fullName = m_arg0.execute(xctxt).str();
|
|
|
5d186e |
int indexOfNSSep = fullName.indexOf(':');
|
|
|
5d186e |
- String result;
|
|
|
5d186e |
+ String result = null;
|
|
|
5d186e |
String propName = "";
|
|
|
5d186e |
|
|
|
5d186e |
// List of properties where the name of the
|
|
|
5d186e |
@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg
|
|
|
5d186e |
|
|
|
5d186e |
try
|
|
|
5d186e |
{
|
|
|
5d186e |
- result = System.getProperty(propName);
|
|
|
5d186e |
-
|
|
|
5d186e |
- if (null == result)
|
|
|
5d186e |
- {
|
|
|
5d186e |
-
|
|
|
5d186e |
- // result = System.getenv(propName);
|
|
|
5d186e |
- return XString.EMPTYSTRING;
|
|
|
5d186e |
- }
|
|
|
5d186e |
+ //if secure procession is enabled only handle required properties do not not map any valid system property
|
|
|
5d186e |
+ if(!xctxt.isSecureProcessing())
|
|
|
5d186e |
+ {
|
|
|
5d186e |
+ result = System.getProperty(propName);
|
|
|
5d186e |
+ }
|
|
|
5d186e |
+ else
|
|
|
5d186e |
+ {
|
|
|
5d186e |
+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
|
|
|
5d186e |
+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
|
|
|
5d186e |
+ }
|
|
|
5d186e |
+ if (null == result)
|
|
|
5d186e |
+ {
|
|
|
5d186e |
+ return XString.EMPTYSTRING;
|
|
|
5d186e |
+ }
|
|
|
5d186e |
}
|
|
|
5d186e |
catch (SecurityException se)
|
|
|
5d186e |
{
|
|
|
5d186e |
@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg
|
|
|
5d186e |
{
|
|
|
5d186e |
try
|
|
|
5d186e |
{
|
|
|
5d186e |
- result = System.getProperty(fullName);
|
|
|
5d186e |
-
|
|
|
5d186e |
- if (null == result)
|
|
|
5d186e |
- {
|
|
|
5d186e |
-
|
|
|
5d186e |
- // result = System.getenv(fullName);
|
|
|
5d186e |
- return XString.EMPTYSTRING;
|
|
|
5d186e |
- }
|
|
|
5d186e |
+ //if secure procession is enabled only handle required properties do not not map any valid system property
|
|
|
5d186e |
+ if(!xctxt.isSecureProcessing())
|
|
|
5d186e |
+ {
|
|
|
5d186e |
+ result = System.getProperty(fullName);
|
|
|
5d186e |
+ }
|
|
|
5d186e |
+ else
|
|
|
5d186e |
+ {
|
|
|
5d186e |
+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
|
|
|
5d186e |
+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
|
|
|
5d186e |
+ }
|
|
|
5d186e |
+ if (null == result)
|
|
|
5d186e |
+ {
|
|
|
5d186e |
+ return XString.EMPTYSTRING;
|
|
|
5d186e |
+ }
|
|
|
5d186e |
}
|
|
|
5d186e |
catch (SecurityException se)
|
|
|
5d186e |
{
|