com.sun.org.apache.xerces.internal.util.SecurityManager Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of org.apache.servicemix.bundles.jaxp-ri
Show all versions of org.apache.servicemix.bundles.jaxp-ri
This OSGi bundle wraps ${pkgArtifactId} ${pkgVersion} jar file.
The newest version!
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU
* General Public License Version 2 only ("GPL") or the Common Development
* and Distribution License("CDDL") (collectively, the "License"). You
* may not use this file except in compliance with the License. You can
* obtain a copy of the License at
* https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
* or packager/legal/LICENSE.txt. See the License for the specific
* language governing permissions and limitations under the License.
*
* When distributing the software, include this License Header Notice in each
* file and include the License file at packager/legal/LICENSE.txt.
*
* GPL Classpath Exception:
* Oracle designates this particular file as subject to the "Classpath"
* exception as provided by Oracle in the GPL Version 2 section of the License
* file that accompanied this code.
*
* Modifications:
* If applicable, add the following below the License Header, with the fields
* enclosed by brackets [] replaced by your own identifying information:
* "Portions Copyright [year] [name of copyright owner]"
*
* Contributor(s):
* If you wish your version of this file to be governed by only the CDDL or
* only the GPL Version 2, indicate your decision by adding "[Contributor]
* elects to include this software in this distribution under the [CDDL or GPL
* Version 2] license." If you don't indicate a single choice of license, a
* recipient has the option to distribute your version of this file under
* either the CDDL, the GPL Version 2 or to extend the choice of license to
* its licensees as provided above. However, if you add GPL Version 2 code
* and therefore, elected the GPL Version 2 license, then the option applies
* only if the new code is made subject to such option by the copyright
* holder.
*
*
* This file incorporates work covered by the following copyright and
* permission notice:
*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.sun.org.apache.xerces.internal.util;
import com.sun.org.apache.xerces.internal.impl.Constants;
/**
* This class is a container for parser settings that relate to
* security, or more specifically, it is intended to be used to prevent denial-of-service
* attacks from being launched against a system running Xerces.
* Any component that is aware of a denial-of-service attack that can arise
* from its processing of a certain kind of document may query its Component Manager
* for the property (http://apache.org/xml/properties/security-manager)
* whose value will be an instance of this class.
* If no value has been set for the property, the component should proceed in the "usual" (spec-compliant)
* manner. If a value has been set, then it must be the case that the component in
* question needs to know what method of this class to query. This class
* will provide defaults for all known security issues, but will also provide
* setters so that those values can be tailored by applications that care.
*
* @author Neil Graham, IBM
*
* @version $Id: SecurityManager.java,v 1.5 2010-11-01 04:40:14 joehw Exp $
*/
public final class SecurityManager {
//
// Constants
//
// default value for entity expansion limit
private final static int DEFAULT_ENTITY_EXPANSION_LIMIT = 64000;
/** Default value of number of nodes created. **/
private final static int DEFAULT_MAX_OCCUR_NODE_LIMIT = 5000;
//
// Data
//
private final static int DEFAULT_ELEMENT_ATTRIBUTE_LIMIT = 10000;
/** Entity expansion limit. **/
private int entityExpansionLimit;
/** W3C XML Schema maxOccurs limit. **/
private int maxOccurLimit;
private int fElementAttributeLimit;
// default constructor. Establishes default values for
// all known security holes.
/**
* Default constructor. Establishes default values
* for known security vulnerabilities.
*/
public SecurityManager() {
entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT ;
fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
//We are reading system properties only once ,
//at the time of creation of this object ,
readSystemProperties();
}
/**
* Sets the number of entity expansions that the
* parser should permit in a document.
*
* @param limit the number of entity expansions
* permitted in a document
*/
public void setEntityExpansionLimit(int limit) {
entityExpansionLimit = limit;
}
/**
* Returns the number of entity expansions
* that the parser permits in a document.
*
* @return the number of entity expansions
* permitted in a document
*/
public int getEntityExpansionLimit() {
return entityExpansionLimit;
}
/**
* Sets the limit of the number of content model nodes
* that may be created when building a grammar for a W3C
* XML Schema that contains maxOccurs attributes with values
* other than "unbounded".
*
* @param limit the maximum value for maxOccurs other
* than "unbounded"
*/
public void setMaxOccurNodeLimit(int limit){
maxOccurLimit = limit;
}
/**
* Returns the limit of the number of content model nodes
* that may be created when building a grammar for a W3C
* XML Schema that contains maxOccurs attributes with values
* other than "unbounded".
*
* @return the maximum value for maxOccurs other
* than "unbounded"
*/
public int getMaxOccurNodeLimit(){
return maxOccurLimit;
}
public int getElementAttrLimit(){
return fElementAttributeLimit;
}
public void setElementAttrLimit(int limit){
fElementAttributeLimit = limit;
}
private void readSystemProperties(){
//TODO: also read SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT
try {
String value = System.getProperty(Constants.ENTITY_EXPANSION_LIMIT);
if(value != null && !value.equals("")){
entityExpansionLimit = Integer.parseInt(value);
if (entityExpansionLimit < 0)
entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
}
else
entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
}catch(Exception ex){}
try {
String value = System.getProperty(Constants.MAX_OCCUR_LIMIT);
if(value != null && !value.equals("")){
maxOccurLimit = Integer.parseInt(value);
if (maxOccurLimit < 0)
maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
}
else
maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
}catch(Exception ex){}
try {
String value = System.getProperty(Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT);
if(value != null && !value.equals("")){
fElementAttributeLimit = Integer.parseInt(value);
if ( fElementAttributeLimit < 0)
fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
}
else
fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
}catch(Exception ex){}
}
} // class SecurityManager