DefaultEntityResolver: allow subclasses to register new internal filenames.

carlosame · carlosame · commit 927d28003b1f · 2020-09-17T21:31:22.000+02:00
diff --git a/junit/io/sf/carte/doc/xml/dtd/DefaultEntityResolverTest.java b/junit/io/sf/carte/doc/xml/dtd/DefaultEntityResolverTest.java
@@ -198,6 +198,30 @@ public void resolveNonexistent() {
 		assertNull(isrc);
 	}
 
+	@Test
+	public void testRegisterInvalidPathFromSubclass() throws SAXException, IOException {
+		try {
+			resolver.registerSystemIdFilename("http://www.example.com/bad.dtd", null);
+			fail("Must throw an exception.");
+		} catch (NullPointerException e) {
+		}
+		try {
+			resolver.registerSystemIdFilename(null, "/some/path");
+			fail("Must throw an exception.");
+		} catch (NullPointerException e) {
+		}
+		try {
+			resolver.registerSystemIdFilename("http://www.example.com/bad.dtd", "");
+			fail("Must throw an exception.");
+		} catch (IllegalArgumentException e) {
+		}
+		try {
+			resolver.registerSystemIdFilename("http://www.example.com/bad.dtd", "/path/to/confidential/stuff");
+			fail("Must throw an exception.");
+		} catch (IllegalArgumentException e) {
+		}
+	}
+
 	@Test
 	public void testIsInvalidPath() throws SAXException, IOException {
 		assertTrue(resolver.isInvalidPath(new URL("http://dtd.example.com/etc/passwd").getPath()));
diff --git a/src/io/sf/carte/doc/xml/dtd/DefaultEntityResolver.java b/src/io/sf/carte/doc/xml/dtd/DefaultEntityResolver.java
@@ -19,7 +19,6 @@
 import java.net.URL;
 import java.net.URLConnection;
 import java.nio.charset.StandardCharsets;
-import java.security.AccessControlException;
 import java.security.PrivilegedActionException;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -218,6 +217,46 @@ public InputSource getExternalSubset(String name, String baseURI) throws SAXExce
 		return null;
 	}
 
+	/**
+	 * Register an internal classpath filename to retrieve a DTD {@code SystemId}.
+	 * 
+	 * @param systemId the {@code SystemId}.
+	 * @param filename the internal filename.
+	 * @return {@code true} if the new {@code SystemId} was successfully registered,
+	 *         {@code false} if it was already registered.
+	 * @throws IllegalArgumentException if the {@code filename} is considered
+	 *                                  invalid by
+	 *                                  {@link #isInvalidInternalPath(String)}.
+	 */
+	protected boolean registerSystemIdFilename(String systemId, String filename) {
+		if (filename == null || systemId == null) {
+			throw new NullPointerException("Null SystemId or filename.");
+		}
+		if (isInvalidInternalPath(filename)) {
+			throw new IllegalArgumentException("Bad DTD filename.");
+		}
+		String ret;
+		synchronized (systemIdToFilename) {
+			ret = systemIdToFilename.putIfAbsent(systemId, filename);
+		}
+		return ret == null;
+	}
+
+	/**
+	 * Determine if the given pathname is an invalid internal path.
+	 * <p>
+	 * The pathname must contain {@code /dtd/} and be a valid path according to
+	 * {@link #isInvalidPath(String)}.
+	 * </p>
+	 * 
+	 * @param pathname the classpath pathname to check. It is assumed to be
+	 *                 non-{@code null}.
+	 * @return {@code true} if the pathname is invalid.
+	 */
+	protected boolean isInvalidInternalPath(String pathname) {
+		return isInvalidPath(pathname) || !pathname.contains("/dtd/");
+	}
+
 	@Override
 	public final InputSource resolveEntity(String name, String publicId, String baseURI, String systemId)
 			throws SAXException, IOException {
@@ -296,6 +335,15 @@ private String getSystemIdFromPublicId(String publicId) {
 		return null;
 	}
 
+	/**
+	 * Determine if the given path is considered invalid for a DTD.
+	 * <p>
+	 * To be valid, must end with {@code .dtd}, {@code .ent} or {@code .mod}.
+	 * </p>
+	 * 
+	 * @param path the path to check.
+	 * @return {@code true} if the path is invalid for a DTD, {@code false} otherwise.
+	 */
 	protected boolean isInvalidPath(String path) {
 		int len = path.length();
 		String ext;
@@ -314,6 +362,9 @@ protected boolean isWhitelistEnabled() {
 
 	/**
 	 * Is the given protocol not supported by this resolver ?
+	 * <p>
+	 * Only {@code http} and {@code https} are valid.
+	 * </p>
 	 * 
 	 * @param protocol
 	 *            the protocol.
@@ -411,8 +462,7 @@ private Reader loadDTDfromClasspath(final String dtdFilename) {
 			buf.append('/').append(pkgPath).append('/').append(dtdFilename);
 			resPath = buf.toString();
 		} else {
-			// All filenames must be relative
-			throw new AccessControlException("Attempt to read " + dtdFilename);
+			resPath = dtdFilename;
 		}
 		InputStream is = java.security.AccessController.doPrivileged(new java.security.PrivilegedAction<InputStream>() {
 			@Override
