[2674] | 1 | /* |
---|
| 2 | * Licensed to the Apache Software Foundation (ASF) under one or more |
---|
| 3 | * contributor license agreements. See the NOTICE file distributed with |
---|
| 4 | * this work for additional information regarding copyright ownership. |
---|
| 5 | * The ASF licenses this file to You under the Apache License, Version 2.0 |
---|
| 6 | * (the "License"); you may not use this file except in compliance with |
---|
| 7 | * the License. You may obtain a copy of the License at |
---|
| 8 | * |
---|
| 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
| 10 | * |
---|
| 11 | * Unless required by applicable law or agreed to in writing, software |
---|
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
| 14 | * See the License for the specific language governing permissions and |
---|
| 15 | * limitations under the License. |
---|
| 16 | */ |
---|
| 17 | |
---|
| 18 | /* |
---|
| 19 | * $Id: SecurityManager.hpp 568078 2007-08-21 11:43:25Z amassari $ |
---|
| 20 | */ |
---|
| 21 | |
---|
| 22 | #ifndef SECURITYMANAGER_HPP |
---|
| 23 | #define SECURITYMANAGER_HPP |
---|
| 24 | |
---|
| 25 | #include <xercesc/util/XercesDefs.hpp> |
---|
| 26 | |
---|
| 27 | XERCES_CPP_NAMESPACE_BEGIN |
---|
| 28 | |
---|
| 29 | /** |
---|
| 30 | * Allow application to force the parser to behave in a security-conscious |
---|
| 31 | * way. |
---|
| 32 | * |
---|
| 33 | * <p> There are cases in which an XML- or XmL-schema- |
---|
| 34 | * conformant processor can be presented with documents the |
---|
| 35 | * processing of which can involve the consumption of |
---|
| 36 | * prohibitive amounts of system resources. Applications can |
---|
| 37 | * attach instances of this class to parsers that they've |
---|
| 38 | * created, via the |
---|
| 39 | * http://apache.org/xml/properties/security-manager property. |
---|
| 40 | * </p> |
---|
| 41 | * |
---|
| 42 | * <p> Defaults will be provided for all known security holes. |
---|
| 43 | * Setter methods will be provided on this class to ensure that |
---|
| 44 | * an application can customize each limit as it chooses. |
---|
| 45 | * Components that are vulnerable to any given hole need to be |
---|
| 46 | * written to act appropriately when an instance of this class |
---|
| 47 | * has been set on the calling parser. |
---|
| 48 | * </p> |
---|
| 49 | */ |
---|
| 50 | |
---|
| 51 | class XMLUTIL_EXPORT SecurityManager |
---|
| 52 | { |
---|
| 53 | public: |
---|
| 54 | |
---|
| 55 | enum { ENTITY_EXPANSION_LIMIT = 50000}; |
---|
| 56 | |
---|
| 57 | /** @name default Constructors */ |
---|
| 58 | //@{ |
---|
| 59 | /** Default constructor */ |
---|
| 60 | SecurityManager() |
---|
| 61 | : fEntityExpansionLimit(ENTITY_EXPANSION_LIMIT) |
---|
| 62 | { |
---|
| 63 | } |
---|
| 64 | |
---|
| 65 | /** Destructor */ |
---|
| 66 | virtual ~SecurityManager(){}; |
---|
| 67 | //@} |
---|
| 68 | |
---|
| 69 | /** @name The Security Manager */ |
---|
| 70 | //@{ |
---|
| 71 | /** |
---|
| 72 | * An application should call this method when it wishes to specify a particular |
---|
| 73 | * limit to the number of entity expansions the parser will permit in a |
---|
| 74 | * particular document. The default behaviour should allow the parser |
---|
| 75 | * to validate nearly all XML non-malicious XML documents; if an |
---|
| 76 | * application knows that it is operating in a domain where entities are |
---|
| 77 | * uncommon, for instance, it may wish to provide a limit lower than the |
---|
| 78 | * parser's default. |
---|
| 79 | * |
---|
| 80 | * @param newLimit the new entity expansion limit |
---|
| 81 | * |
---|
| 82 | */ |
---|
| 83 | virtual void setEntityExpansionLimit(unsigned int newLimit) |
---|
| 84 | { |
---|
| 85 | fEntityExpansionLimit = newLimit; |
---|
| 86 | } |
---|
| 87 | |
---|
| 88 | /** |
---|
| 89 | * Permits the application or a parser component to query the current |
---|
| 90 | * limit for entity expansions. |
---|
| 91 | * |
---|
| 92 | * @return the current setting of the entity expansion limit |
---|
| 93 | * |
---|
| 94 | */ |
---|
| 95 | virtual unsigned int getEntityExpansionLimit() const |
---|
| 96 | { |
---|
| 97 | return fEntityExpansionLimit; |
---|
| 98 | } |
---|
| 99 | //@} |
---|
| 100 | |
---|
| 101 | protected: |
---|
| 102 | unsigned int fEntityExpansionLimit; |
---|
| 103 | |
---|
| 104 | private: |
---|
| 105 | |
---|
| 106 | /* Unimplemented Constructors and operators */ |
---|
| 107 | /* Copy constructor */ |
---|
| 108 | SecurityManager(const SecurityManager&); |
---|
| 109 | |
---|
| 110 | /** Assignment operator */ |
---|
| 111 | SecurityManager& operator=(const SecurityManager&); |
---|
| 112 | }; |
---|
| 113 | |
---|
| 114 | XERCES_CPP_NAMESPACE_END |
---|
| 115 | |
---|
| 116 | #endif |
---|