[188] | 1 | /*
|
---|
| 2 | * The Apache Software License, Version 1.1
|
---|
| 3 | *
|
---|
| 4 | * Copyright (c) 2003 The Apache Software Foundation. All rights
|
---|
| 5 | * reserved.
|
---|
| 6 | *
|
---|
| 7 | * Redistribution and use in source and binary forms, with or without
|
---|
| 8 | * modification, are permitted provided that the following conditions
|
---|
| 9 | * are met:
|
---|
| 10 | *
|
---|
| 11 | * 1. Redistributions of source code must retain the above copyright
|
---|
| 12 | * notice, this list of conditions and the following disclaimer.
|
---|
| 13 | *
|
---|
| 14 | * 2. Redistributions in binary form must reproduce the above copyright
|
---|
| 15 | * notice, this list of conditions and the following disclaimer in
|
---|
| 16 | * the documentation and/or other materials provided with the
|
---|
| 17 | * distribution.
|
---|
| 18 | *
|
---|
| 19 | * 3. The end-user documentation included with the redistribution,
|
---|
| 20 | * if any, must include the following acknowledgment:
|
---|
| 21 | * "This product includes software developed by the
|
---|
| 22 | * Apache Software Foundation (http://www.apache.org/)."
|
---|
| 23 | * Alternately, this acknowledgment may appear in the software itself,
|
---|
| 24 | * if and wherever such third-party acknowledgments normally appear.
|
---|
| 25 | *
|
---|
| 26 | * 4. The names "Xerces" and "Apache Software Foundation" must
|
---|
| 27 | * not be used to endorse or promote products derived from this
|
---|
| 28 | * software without prior written permission. For written
|
---|
| 29 | * permission, please contact apache\@apache.org.
|
---|
| 30 | *
|
---|
| 31 | * 5. Products derived from this software may not be called "Apache",
|
---|
| 32 | * nor may "Apache" appear in their name, without prior written
|
---|
| 33 | * permission of the Apache Software Foundation.
|
---|
| 34 | *
|
---|
| 35 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
|
---|
| 36 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
---|
| 37 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
---|
| 38 | * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
|
---|
| 39 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
---|
| 40 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
---|
| 41 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
|
---|
| 42 | * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
---|
| 43 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
---|
| 44 | * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
|
---|
| 45 | * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
---|
| 46 | * SUCH DAMAGE.
|
---|
| 47 | * ====================================================================
|
---|
| 48 | *
|
---|
| 49 | * This software consists of voluntary contributions made by many
|
---|
| 50 | * individuals on behalf of the Apache Software Foundation, and was
|
---|
| 51 | * originally based on software copyright (c) 1999, International
|
---|
| 52 | * Business Machines, Inc., http://www.ibm.com . For more information
|
---|
| 53 | * on the Apache Software Foundation, please see
|
---|
| 54 | * <http://www.apache.org/>.
|
---|
| 55 | */
|
---|
| 56 |
|
---|
| 57 | /*
|
---|
| 58 | * $Log: SecurityManager.hpp,v $
|
---|
| 59 | * Revision 1.3 2004/01/29 11:48:46 cargilld
|
---|
| 60 | * Code cleanup changes to get rid of various compiler diagnostic messages.
|
---|
| 61 | *
|
---|
| 62 | * Revision 1.2 2003/04/22 12:53:38 neilg
|
---|
| 63 | * change const static member to an enum to make MSVC happy
|
---|
| 64 | *
|
---|
| 65 | * change ENTITY_EXPANSION_LIMIT from a static const data member to an enum
|
---|
| 66 | *
|
---|
| 67 | * Revision 1.1 2003/04/17 21:58:49 neilg
|
---|
| 68 | * Adding a new property,
|
---|
| 69 | * http://apache.org/xml/properties/security-manager, with
|
---|
| 70 | * appropriate getSecurityManager/setSecurityManager methods on DOM
|
---|
| 71 | * and SAX parsers. Also adding a new SecurityManager class.
|
---|
| 72 | *
|
---|
| 73 | * The purpose of these modifications is to permit applications a
|
---|
| 74 | * means to have the parser reject documents whose processing would
|
---|
| 75 | * otherwise consume large amounts of system resources. Malicious
|
---|
| 76 | * use of such documents could be used to launch a denial-of-service
|
---|
| 77 | * attack against a system running the parser. Initially, the
|
---|
| 78 | * SecurityManager only knows about attacks that can result from
|
---|
| 79 | * exponential entity expansion; this is the only known attack that
|
---|
| 80 | * involves processing a single XML document. Other, simlar attacks
|
---|
| 81 | * can be launched if arbitrary schemas may be parsed; there already
|
---|
| 82 | * exist means (via use of the EntityResolver interface) by which
|
---|
| 83 | * applications can deny processing of untrusted schemas. In future,
|
---|
| 84 | * the SecurityManager will be expanded to take these other exploits
|
---|
| 85 | * into account.
|
---|
| 86 | *
|
---|
| 87 | * Initial checkin of SecurityManager
|
---|
| 88 | *
|
---|
| 89 | * $Id: SecurityManager.hpp,v 1.3 2004/01/29 11:48:46 cargilld Exp $
|
---|
| 90 | *
|
---|
| 91 | */
|
---|
| 92 |
|
---|
| 93 | #ifndef SECURITYMANAGER_HPP
|
---|
| 94 | #define SECURITYMANAGER_HPP
|
---|
| 95 |
|
---|
| 96 | #include <xercesc/util/XercesDefs.hpp>
|
---|
| 97 |
|
---|
| 98 | XERCES_CPP_NAMESPACE_BEGIN
|
---|
| 99 |
|
---|
| 100 | /**
|
---|
| 101 | * Allow application to force the parser to behave in a security-conscious
|
---|
| 102 | * way.
|
---|
| 103 | *
|
---|
| 104 | * <p> There are cases in which an XML- or XmL-schema-
|
---|
| 105 | * conformant processor can be presented with documents the
|
---|
| 106 | * processing of which can involve the consumption of
|
---|
| 107 | * prohibitive amounts of system resources. Applications can
|
---|
| 108 | * attach instances of this class to parsers that they've
|
---|
| 109 | * created, via the
|
---|
| 110 | * http://apache.org/xml/properties/security-manager property.
|
---|
| 111 | * </p>
|
---|
| 112 | *
|
---|
| 113 | * <p> Defaults will be provided for all known security holes.
|
---|
| 114 | * Setter methods will be provided on this class to ensure that
|
---|
| 115 | * an application can customize each limit as it chooses.
|
---|
| 116 | * Components that are vulnerable to any given hole need to be
|
---|
| 117 | * written to act appropriately when an instance of this class
|
---|
| 118 | * has been set on the calling parser.
|
---|
| 119 | * </p>
|
---|
| 120 | */
|
---|
| 121 |
|
---|
| 122 | class XMLUTIL_EXPORT SecurityManager
|
---|
| 123 | {
|
---|
| 124 | public:
|
---|
| 125 |
|
---|
| 126 | enum { ENTITY_EXPANSION_LIMIT = 50000};
|
---|
| 127 |
|
---|
| 128 | /** @name default Constructors */
|
---|
| 129 | //@{
|
---|
| 130 | /** Default constructor */
|
---|
| 131 | SecurityManager()
|
---|
| 132 | : fEntityExpansionLimit(ENTITY_EXPANSION_LIMIT)
|
---|
| 133 | {
|
---|
| 134 | }
|
---|
| 135 |
|
---|
| 136 | /** Destructor */
|
---|
| 137 | virtual ~SecurityManager(){};
|
---|
| 138 | //@}
|
---|
| 139 |
|
---|
| 140 | /** @name The Security Manager */
|
---|
| 141 | //@{
|
---|
| 142 | /**
|
---|
| 143 | * An application should call this method when it wishes to specify a particular
|
---|
| 144 | * limit to the number of entity expansions the parser will permit in a
|
---|
| 145 | * particular document. The default behaviour should allow the parser
|
---|
| 146 | * to validate nearly all XML non-malicious XML documents; if an
|
---|
| 147 | * application knows that it is operating in a domain where entities are
|
---|
| 148 | * uncommon, for instance, it may wish to provide a limit lower than the
|
---|
| 149 | * parser's default.
|
---|
| 150 | *
|
---|
| 151 | * @param newLimit the new entity expansion limit
|
---|
| 152 | *
|
---|
| 153 | */
|
---|
| 154 | virtual void setEntityExpansionLimit(unsigned int newLimit)
|
---|
| 155 | {
|
---|
| 156 | fEntityExpansionLimit = newLimit;
|
---|
| 157 | }
|
---|
| 158 |
|
---|
| 159 | /**
|
---|
| 160 | * Permits the application or a parser component to query the current
|
---|
| 161 | * limit for entity expansions.
|
---|
| 162 | *
|
---|
| 163 | * @return the current setting of the entity expansion limit
|
---|
| 164 | *
|
---|
| 165 | */
|
---|
| 166 | virtual unsigned int getEntityExpansionLimit() const
|
---|
| 167 | {
|
---|
| 168 | return fEntityExpansionLimit;
|
---|
| 169 | }
|
---|
| 170 | //@}
|
---|
| 171 |
|
---|
| 172 | protected:
|
---|
| 173 | unsigned int fEntityExpansionLimit;
|
---|
| 174 |
|
---|
| 175 | private:
|
---|
| 176 |
|
---|
| 177 | /* Unimplemented Constructors and operators */
|
---|
| 178 | /* Copy constructor */
|
---|
| 179 | SecurityManager(const SecurityManager&);
|
---|
| 180 |
|
---|
| 181 | /** Assignment operator */
|
---|
| 182 | SecurityManager& operator=(const SecurityManager&);
|
---|
| 183 | };
|
---|
| 184 |
|
---|
| 185 | XERCES_CPP_NAMESPACE_END
|
---|
| 186 |
|
---|
| 187 | #endif
|
---|