xalan-j2/SOURCES/xalan-j2-CVE-2014-0107.patch

diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
index 1298943..96a5e58 100644
--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory
           reader = XMLReaderFactory.createXMLReader();
         }
 
+        if(m_isSecureProcessing)
+        {
+            reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
+        }
         // Need to set options!
         reader.setContentHandler(handler);
         reader.parse(isource);
diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java
index b946743..17b7395 100644
--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
+++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement
       }
       else
       {
-        // Can we switch the order here:
-
-        boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
-                             attributes.getQName(i), attributes.getValue(i),
-                             target);
-                             
-        // Now we only add the element if it passed a validation check
-        if (success)
-            processedDefs.add(attrDef);
-        else
-            errorDefs.add(attrDef);
+        //handle secure processing
+        if(handler.getStylesheetProcessor()==null)
+            System.out.println("stylesheet processor null");
+        if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
+        {
+            //foreign attributes are not allowed in secure processing mode
+            // Then barf, because this element does not allow this attribute.
+            handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
+            //+ " attribute is not allowed on the " + rawName
+            // + " element!", null);
+        }
+        else
+        {
+
+
+            boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+                                 attributes.getQName(i), attributes.getValue(i),
+                                 target);
+
+            // Now we only add the element if it passed a validation check
+            if (success)
+                processedDefs.add(attrDef);
+            else
+                errorDefs.add(attrDef);
+        }
       }
     }
 
diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java
index dd0d4d9..0906d24 100644
--- a/src/org/apache/xalan/transformer/TransformerImpl.java
+++ b/src/org/apache/xalan/transformer/TransformerImpl.java
@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer
     try
     {
       if (sroot.getExtensions() != null)
-        m_extensionsTable = new ExtensionsTable(sroot);
+        //only load extensions if secureProcessing is disabled
+        if(!sroot.isSecureProcessing())
+            m_extensionsTable = new ExtensionsTable(sroot);
     }
     catch (javax.xml.transform.TransformerException te)
     {te.printStackTrace();}
diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java
index 4bea356..78ac980 100644
--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
+++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg
 
     String fullName = m_arg0.execute(xctxt).str();
     int indexOfNSSep = fullName.indexOf(':');
-    String result;
+    String result = null;
     String propName = "";
 
     // List of properties where the name of the
@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg
 
         try
         {
-          result = System.getProperty(propName);
-
-          if (null == result)
-          {
-
-            // result = System.getenv(propName);
-            return XString.EMPTYSTRING;
-          }
+            //if secure procession is enabled only handle required properties do not not map any valid system property
+            if(!xctxt.isSecureProcessing())
+            {
+                result = System.getProperty(propName);
+            }
+            else
+            {
+                warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
+                        new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);
+            }
+            if (null == result)
+            {
+                return XString.EMPTYSTRING;
+            }
         }
         catch (SecurityException se)
         {
@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg
     {
       try
       {
-        result = System.getProperty(fullName);
-
-        if (null == result)
-        {
-
-          // result = System.getenv(fullName);
-          return XString.EMPTYSTRING;
-        }
+          //if secure procession is enabled only handle required properties do not not map any valid system property
+          if(!xctxt.isSecureProcessing())
+          {
+              result = System.getProperty(fullName);
+          }
+          else
+          {
+              warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
+                      new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);
+          }
+          if (null == result)
+          {
+              return XString.EMPTYSTRING;
+          }
       }
       catch (SecurityException se)
       {