changeset 6877:07004bb53c3c

8026417: Enhance XML canonicalization Summary: Copy before use mutable byte arrays. Also reviewed by Alexander Fomin <alexander.fomin@oracle.com> Reviewed-by: weijun, mullan, hawtin, ahgross
author xuelei
date Wed, 23 Oct 2013 21:32:52 -0700
parents 3fd08b034937
children 8a60b069f9cd ff7327ac386e
files src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java
diffstat 1 files changed, 27 insertions(+), 23 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java	Tue Oct 22 22:23:59 2013 -0700
+++ b/src/share/classes/com/sun/org/apache/xml/internal/security/c14n/implementations/CanonicalizerBase.java	Wed Oct 23 21:32:52 2013 -0700
@@ -63,6 +63,9 @@
 public abstract class CanonicalizerBase extends CanonicalizerSpi {
    //Constants to be outputed, In char array form, so
    //less garbage is generate when outputed.
+   //
+   // Make sure you clone the following mutable arrays before passing to
+   // potentially untrusted objects such as OutputStreams.
    private static final byte[] _END_PI = {'?','>'};
    private static final byte[] _BEGIN_PI = {'<','?'};
    private static final byte[] _END_COMM = {'-','-','>'};
@@ -75,10 +78,11 @@
    private static final byte[] _LT_ = {'&','l','t',';'};
    private static final byte[] _END_TAG = {'<','/'};
    private static final byte[] _AMP_ = {'&','a','m','p',';'};
+   private static final byte[] _EQUALS_STR = {'=','\"'};
+
    final static AttrCompare COMPARE=new AttrCompare();
    final static String XML="xml";
    final static String XMLNS="xmlns";
-   final static byte[] equalsStr= {'=','\"'};
    static final int NODE_BEFORE_DOCUMENT_ELEMENT = -1;
    static final int NODE_NOT_BEFORE_OR_AFTER_DOCUMENT_ELEMENT = 0;
    static final int NODE_AFTER_DOCUMENT_ELEMENT = 1;
@@ -302,7 +306,7 @@
                         writer.write('>');
                         sibling= currentNode.getFirstChild();
                         if (sibling==null) {
-                                writer.write(_END_TAG);
+                                writer.write(_END_TAG.clone());
                                 UtfHelpper.writeStringToUtf8(name,writer);
                                 writer.write('>');
                                 //We fineshed with this level, pop to the previous definitions.
@@ -316,7 +320,7 @@
                         break;
                 }
                 while (sibling==null  && parentNode!=null) {
-                        writer.write(_END_TAG);
+                        writer.write(_END_TAG.clone());
                         UtfHelpper.writeByte(((Element)parentNode).getTagName(),writer,cache);
                         writer.write('>');
                         //We fineshed with this level, pop to the previous definitions.
@@ -472,7 +476,7 @@
 
                         if (sibling==null) {
                                 if (currentNodeIsVisible) {
-                                        writer.write(_END_TAG);
+                                        writer.write(_END_TAG.clone());
                                         UtfHelpper.writeByte(name,writer,cache);
                                         writer.write('>');
                                         //We fineshed with this level, pop to the previous definitions.
@@ -490,7 +494,7 @@
                 }
                 while (sibling==null  && parentNode!=null) {
                         if (isVisible(parentNode)) {
-                                writer.write(_END_TAG);
+                                writer.write(_END_TAG.clone());
                                 UtfHelpper.writeByte(((Element)parentNode).getTagName(),writer,cache);
                                 writer.write('>');
                                 //We fineshed with this level, pop to the previous definitions.
@@ -653,7 +657,7 @@
                                 final Map cache) throws IOException {
               writer.write(' ');
               UtfHelpper.writeByte(name,writer,cache);
-              writer.write(equalsStr);
+              writer.write(_EQUALS_STR.clone());
               byte  []toWrite;
               final int length = value.length();
               int i=0;
@@ -663,27 +667,27 @@
                  switch (c) {
 
                  case '&' :
-                        toWrite=_AMP_;
+                        toWrite=_AMP_.clone();
                     break;
 
                  case '<' :
-                        toWrite=_LT_;
+                        toWrite=_LT_.clone();
                     break;
 
                  case '"' :
-                        toWrite=_QUOT_;
+                        toWrite=_QUOT_.clone();
                     break;
 
                  case 0x09 :    // '\t'
-                        toWrite=__X9_;
+                        toWrite=__X9_.clone();
                     break;
 
                  case 0x0A :    // '\n'
-                        toWrite=__XA_;
+                        toWrite=__XA_.clone();
                     break;
 
                  case 0x0D :    // '\r'
-                        toWrite=__XD_;
+                        toWrite=__XD_.clone();
                     break;
 
                  default :
@@ -712,7 +716,7 @@
               if (position == NODE_AFTER_DOCUMENT_ELEMENT) {
                 writer.write('\n');
               }
-              writer.write(_BEGIN_PI);
+              writer.write(_BEGIN_PI.clone());
 
               final String target = currentPI.getTarget();
               int length = target.length();
@@ -720,7 +724,7 @@
               for (int i = 0; i < length; i++) {
                  char c=target.charAt(i);
                  if (c==0x0D) {
-                    writer.write(__XD_);
+                    writer.write(__XD_.clone());
                  } else {
                          if (c < 0x80)  {
                                 writer.write(c);
@@ -740,14 +744,14 @@
                  for (int i = 0; i < length; i++) {
                         char c=data.charAt(i);
                     if (c==0x0D) {
-                       writer.write(__XD_);
+                       writer.write(__XD_.clone());
                     } else {
                         UtfHelpper.writeCharToUtf8(c,writer);
                     }
                  }
               }
 
-              writer.write(_END_PI);
+              writer.write(_END_PI.clone());
               if (position == NODE_BEFORE_DOCUMENT_ELEMENT) {
                 writer.write('\n');
              }
@@ -764,7 +768,7 @@
                   if (position == NODE_AFTER_DOCUMENT_ELEMENT) {
                         writer.write('\n');
                   }
-              writer.write(_BEGIN_COMM);
+              writer.write(_BEGIN_COMM.clone());
 
               final String data = currentComment.getData();
               final int length = data.length();
@@ -772,7 +776,7 @@
               for (int i = 0; i < length; i++) {
                  char c=data.charAt(i);
                  if (c==0x0D) {
-                    writer.write(__XD_);
+                    writer.write(__XD_.clone());
                  } else {
                          if (c < 0x80)  {
                                 writer.write(c);
@@ -782,7 +786,7 @@
                  }
               }
 
-              writer.write(_END_COMM);
+              writer.write(_END_COMM.clone());
               if (position == NODE_BEFORE_DOCUMENT_ELEMENT) {
                         writer.write('\n');
                  }
@@ -804,19 +808,19 @@
                  switch (c) {
 
                  case '&' :
-                        toWrite=_AMP_;
+                        toWrite=_AMP_.clone();
                     break;
 
                  case '<' :
-                        toWrite=_LT_;
+                        toWrite=_LT_.clone();
                     break;
 
                  case '>' :
-                        toWrite=_GT_;
+                        toWrite=_GT_.clone();
                     break;
 
                  case 0xD :
-                        toWrite=__XD_;
+                        toWrite=__XD_.clone();
                     break;
 
                  default :