sandygao 2002/12/02 11:28:45
Modified: java/src/org/apache/xerces/impl Constants.java
XMLDocumentScannerImpl.java
Log:
Introducing a new feature "disallow-doctype-decl". When this feature is set
to true, a fatal error is thrown when the incoming document contains a
doctype decl. This is to solve a security problem: processing the internal
subset of the DTD might bring the JVM down.
Revision Changes Path
1.24 +4 -1 xml-xerces/java/src/org/apache/xerces/impl/Constants.java
Index: Constants.java
===================================================================
RCS file: /home/cvs/xml-xerces/java/src/org/apache/xerces/impl/Constants.java,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- Constants.java 27 Sep 2002 14:15:09 -0000 1.23
+++ Constants.java 2 Dec 2002 19:28:45 -0000 1.24
@@ -211,6 +211,9 @@
/** Allow Java encoding names feature ("allow-java-encodings"). */
public static final String ALLOW_JAVA_ENCODINGS_FEATURE =
"allow-java-encodings";
+ /** Disallow DOCTYPE declaration feature ("disallow-doctype-decl"). */
+ public static final String DISALLOW_DOCTYPE_DECL_FEATURE =
"disallow-doctype-decl";
+
/** Continue after fatal error feature ("continue-after-fatal-error"). */
public static final String CONTINUE_AFTER_FATAL_ERROR_FEATURE =
"continue-after-fatal-error";
1.30 +24 -2
xml-xerces/java/src/org/apache/xerces/impl/XMLDocumentScannerImpl.java
Index: XMLDocumentScannerImpl.java
===================================================================
RCS file:
/home/cvs/xml-xerces/java/src/org/apache/xerces/impl/XMLDocumentScannerImpl.java,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- XMLDocumentScannerImpl.java 19 Nov 2002 01:41:37 -0000 1.29
+++ XMLDocumentScannerImpl.java 2 Dec 2002 19:28:45 -0000 1.30
@@ -146,6 +146,10 @@
protected static final String LOAD_EXTERNAL_DTD =
Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE;
+ /** Feature identifier: load external DTD. */
+ protected static final String DISALLOW_DOCTYPE_DECL_FEATURE =
+ Constants.XERCES_FEATURE_PREFIX + Constants.DISALLOW_DOCTYPE_DECL_FEATURE;
+
// property identifiers
/** Property identifier: DTD scanner. */
@@ -161,11 +165,13 @@
/** Recognized features. */
private static final String[] RECOGNIZED_FEATURES = {
LOAD_EXTERNAL_DTD,
+ DISALLOW_DOCTYPE_DECL_FEATURE,
};
/** Feature defaults. */
private static final Boolean[] FEATURE_DEFAULTS = {
Boolean.TRUE,
+ Boolean.FALSE,
};
/** Recognized properties. */
@@ -215,6 +221,9 @@
/** Load external DTD. */
protected boolean fLoadExternalDTD = true;
+ /** Disallow doctype declaration. */
+ protected boolean fDisallowDoctype = false;
+
// state
/** Seen doctype declaration. */
@@ -306,7 +315,13 @@
catch (XMLConfigurationException e) {
fLoadExternalDTD = true;
}
-
+ try {
+ fDisallowDoctype =
componentManager.getFeature(DISALLOW_DOCTYPE_DECL_FEATURE);
+ }
+ catch (XMLConfigurationException e) {
+ fDisallowDoctype = false;
+ }
+
// xerces properties
fDTDScanner = (XMLDTDScanner)componentManager.getProperty(DTD_SCANNER);
try {
@@ -368,6 +383,10 @@
fLoadExternalDTD = state;
return;
}
+ else if (feature.equals(Constants.DISALLOW_DOCTYPE_DECL_FEATURE)) {
+ fDisallowDoctype = state;
+ return;
+ }
}
} // setFeature(String,boolean)
@@ -765,6 +784,9 @@
break;
}
case SCANNER_STATE_DOCTYPE: {
+ if (fDisallowDoctype) {
+ reportFatalError("DoctypeNotAllowed", null);
+ }
if (fSeenDoctypeDecl) {
reportFatalError("AlreadySeenDoctype", null);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
