neilg 2003/01/08 15:04:11
Modified: java/src/org/apache/xerces/impl XMLEntityManager.java
java/src/org/apache/xerces/impl/msg XMLMessages.properties
Log:
applying a patch, based on code Neeraj committed earlier to a branch, that leverages
the new SecurityManager property to fix the entity expansion DOS hole.
Revision Changes Path
1.55 +45 -3 xml-xerces/java/src/org/apache/xerces/impl/XMLEntityManager.java
Index: XMLEntityManager.java
===================================================================
RCS file:
/home/cvs/xml-xerces/java/src/org/apache/xerces/impl/XMLEntityManager.java,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -r1.54 -r1.55
--- XMLEntityManager.java 7 Dec 2002 00:15:58 -0000 1.54
+++ XMLEntityManager.java 8 Jan 2003 23:04:10 -0000 1.55
@@ -80,6 +80,7 @@
import org.apache.xerces.util.EncodingMap;
import org.apache.xerces.util.XMLStringBuffer;
+import org.apache.xerces.util.SecurityManager;
import org.apache.xerces.util.SymbolTable;
import org.apache.xerces.util.URI;
import org.apache.xerces.util.XMLChar;
@@ -128,7 +129,7 @@
//
/** Default buffer size (2048). */
- public static final int DEFAULT_BUFFER_SIZE = 2048;
+ public static final int DEFAULT_BUFFER_SIZE = 2048;
/** Default buffer size before we've finished with the XMLDecl: */
public static final int DEFAULT_XMLDECL_BUFFER_SIZE = 64;
@@ -180,6 +181,10 @@
protected static final String BUFFER_SIZE =
Constants.XERCES_PROPERTY_PREFIX + Constants.BUFFER_SIZE_PROPERTY;
+ /** property identifier: security manager. */
+ protected static final String SECURITY_MANAGER =
+ Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
+
// recognized features and properties
/** Recognized features. */
@@ -206,7 +211,8 @@
ERROR_REPORTER,
ENTITY_RESOLVER,
VALIDATION_MANAGER,
- BUFFER_SIZE
+ BUFFER_SIZE,
+ SECURITY_MANAGER,
};
/** Property defaults. */
@@ -216,6 +222,7 @@
null,
null,
new Integer(DEFAULT_BUFFER_SIZE),
+ null,
};
private static final String XMLEntity = "[xml]".intern();
@@ -309,6 +316,10 @@
*/
protected int fBufferSize = DEFAULT_BUFFER_SIZE;
+ // stores defaults for entity expansion limit if it has
+ // been set on the configuration.
+ protected SecurityManager fSecurityManager = null;
+
/**
* True if the document entity is standalone. This should really
* only be set by the document source (e.g. XMLDocumentScanner).
@@ -335,6 +346,12 @@
/** XML 1.1 entity scanner. */
protected XMLEntityScanner fXML11EntityScanner;
+ // entity expansion limit (contains useful data if and only if
+ // fSecurityManager is non-null)
+ protected int fEntityExpansionLimit = 0;
+ // entity currently being expanded:
+ protected int fEntityExpansionCount = 0;
+
// entities
/** Entities. */
@@ -862,6 +879,18 @@
String encoding = setupCurrentEntity(name, xmlInputSource, literal,
isExternal);
+ //when entity expansion limit is set by the Application, we need to
+ //check for the entity expansion limit set by the parser, if number of
entity
+ //expansions exceeds the entity expansion limit, parser will throw fatal
error.
+ // Note that this is intentionally unbalanced; it counts
+ // the number of expansions *per document*.
+ if( fSecurityManager != null && fEntityExpansionCount++ >
fEntityExpansionLimit ){
+ fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN,
+ "EntityExpansionLimitExceeded",
+ new Object[]{new
Integer(fEntityExpansionLimit) },
+ XMLErrorReporter.SEVERITY_FATAL_ERROR
);
+ }
+
// call handler
if (fEntityHandler != null) {
fEntityHandler.startEntity(name, fResourceIdentifier, encoding);
@@ -1095,11 +1124,20 @@
catch (XMLConfigurationException e) {
fValidationManager = null;
}
+ try {
+ fSecurityManager =
(SecurityManager)componentManager.getProperty(SECURITY_MANAGER);
+ }
+ catch (XMLConfigurationException e) {
+ fSecurityManager = null;
+ }
+ fEntityExpansionLimit = (fSecurityManager !=
null)?fSecurityManager.getEntityExpansionLimit():0;
+
// initialize state
fStandalone = false;
fEntities.clear();
fEntityStack.removeAllElements();
+ fEntityExpansionCount = 0;
fCurrentEntity = null;
// reset scanner
@@ -1224,6 +1262,10 @@
fBufferSize = bufferSize.intValue();
fEntityScanner.setBufferSize(fBufferSize);
}
+ }
+ if (property.equals(Constants.SECURITY_MANAGER_PROPERTY)) {
+ fSecurityManager = (SecurityManager)value;
+ fEntityExpansionLimit = (fSecurityManager !=
null)?fSecurityManager.getEntityExpansionLimit():0;
}
}
1.16 +5 -0
xml-xerces/java/src/org/apache/xerces/impl/msg/XMLMessages.properties
Index: XMLMessages.properties
===================================================================
RCS file:
/home/cvs/xml-xerces/java/src/org/apache/xerces/impl/msg/XMLMessages.properties,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- XMLMessages.properties 2 Dec 2002 19:26:53 -0000 1.15
+++ XMLMessages.properties 8 Jan 2003 23:04:11 -0000 1.16
@@ -274,3 +274,8 @@
MSG_SPACE_REQUIRED_AFTER_SYSTEMLITERAL_IN_EXTERNALID=MSG_SPACE_REQUIRED_AFTER_SYSTEMLITERAL_IN_EXTERNALID
OpenQuoteMissingInDecl=OpenQuoteMissingInDecl
InvalidCharInLiteral=InvalidCharInLiteral
+
+
+#Application can set the limit of number of entities that should be expanded by the
parser.
+EntityExpansionLimitExceeded=The parser has encountered more than \"{0}\" entity
expansions in this document; this is the limit imposed by the application.
+
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
