neilg 2003/01/08 15:03:12 Modified: java/src/org/apache/xerces/impl Constants.java Added: java/src/org/apache/xerces/util SecurityManager.java Log: add new SecurityManager property. Once components have been altered to handle security problems, this property will allow the parser to behave in a security-conscious way if and only if an application has caused it to be set on the configuration. Revision Changes Path 1.1 xml-xerces/java/src/org/apache/xerces/util/SecurityManager.java Index: SecurityManager.java =================================================================== /* * The Apache Software License, Version 1.1 * * * Copyright (c) 2003 The Apache Software Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, * if any, must include the following acknowledgment: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowledgment may appear in the software itself, * if and wherever such third-party acknowledgments normally appear. * * 4. The names "Xerces" and "Apache Software Foundation" must * not be used to endorse or promote products derived from this * software without prior written permission. For written * permission, please contact [EMAIL PROTECTED] * * 5. Products derived from this software may not be called "Apache", * nor may "Apache" appear in their name, without prior written * permission of the Apache Software Foundation. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation and was * originally based on software copyright (c) 1999, International * Business Machines, Inc., http://www.apache.org. For more * information on the Apache Software Foundation, please see * <http://www.apache.org/>. */ package org.apache.xerces.util; /** * This class is a container for parser settings that relate to * security, or more specifically, it is intended to be used to prevent denial-of-service * attacks from being launched against a system running Xerces. * Any component that is aware of a denial-of-service attack that can arise * from its processing of a certain kind of document may query its Component Manager * for the property (http://apache.org/xml/properties/security-manager) * whose value will be an instance of this class. * If no value has been set for the property, the component should proceed in the "usual" (spec-compliant) * manner. If a value has been set, then it must be the case that the component in * question needs to know what method of this class to query. This class * will provide defaults for all known security issues, but will also provide * setters so that those values can be tailored by applications that care. * * @author Neil Graham, IBM * * @version $Id: SecurityManager.java,v 1.1 2003/01/08 23:03:12 neilg Exp $ */ public final class SecurityManager { // // Constants // // default value for entity expansion limit private final static int DEFAULT_ENTITY_EXPANSION_LIMIT = 100000; // // Data // /** entity expansion limit */ private int entityExpansionLimit; // default constructor. Establishes default values for // all known security holes. public SecurityManager() { entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT; } // set the number of entity expansions that the // parser should permit in a document public void setEntityExpansionLimit(int limit) { entityExpansionLimit = limit; } // return the number of entity expansions that the // parser permits in a document public int getEntityExpansionLimit() { return entityExpansionLimit; } } // class SecurityManager 1.27 +5 -2 xml-xerces/java/src/org/apache/xerces/impl/Constants.java Index: Constants.java =================================================================== RCS file: /home/cvs/xml-xerces/java/src/org/apache/xerces/impl/Constants.java,v retrieving revision 1.26 retrieving revision 1.27 diff -u -r1.26 -r1.27 --- Constants.java 11 Dec 2002 16:14:30 -0000 1.26 +++ Constants.java 8 Jan 2003 23:03:12 -0000 1.27 @@ -2,7 +2,7 @@ * The Apache Software License, Version 1.1 * * - * Copyright (c) 2000-2002 The Apache Software Foundation. All rights + * Copyright (c) 2000-2003 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without @@ -288,6 +288,9 @@ /** Input buffer size property ("input-buffer-size"). */ public static final String BUFFER_SIZE_PROPERTY = "input-buffer-size"; + + /** Security manager property ("security-manager"). */ + public static final String SECURITY_MANAGER_PROPERTY = "security-manager"; /** Entity resolver property ("internal/entity-resolver"). */ public static final String ENTITY_RESOLVER_PROPERTY = "internal/entity-resolver";
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
