Hello,
As you may have noticed that I just opened a bug report[1] about some security issues in Xalan. After some serious investigation, I have created a patch to change various static variables that could open security holes. This patch includes changes to about 214 classes that cross 29 packages. It may have impact on your work, please be aware of the changes. In general, I did the following changes:
1. Added final modifier to static variables;
2. Reduced scope and added public get methods whenever it is appropriate;
3. Changed some static variable to instance variables;
4. Changed some interfaces to final classes, if those interfaces are used only to define constants
5. Removed the usage of System.exit;
6. For various org.apache.xml.utils.res.XResourceBundle, the getObject() methods return immutable array wrappers instead of arrays
7. Changed static methods of org.apache.xpath.compiler.FunctionTable to instance methods and the reference of a function table is passed around the processing to create an XPath object;
8. Changed the flags of FEATURE_INCREMENTAL, FEATURE_OPTIMIZE and FEATURE_SOURCE_LOCATION to instance variables in TransformerFactorImpl. So they will not be changed during a processing once a new Templates is created;
Please let me know if you have any concerns or comments.
Special thanks to Henry Zongaro ([EMAIL PROTECTED]) and Brian Minchau ([EMAIL PROTECTED])
[1] http://nagoya.apache.org/jira/browse/XALANJ-2008
Christine Li
XSLT Development
IBM Toronto Lab
Tel: (905)413-2601
Email: [EMAIL PROTECTED]
- Re: Please be aware of the changes to some static variabl... Christine Li
- Re: Please be aware of the changes to some static va... Robert Koberg
- Re: Please be aware of the changes to some stati... Brian Minchau
- Re: Please be aware of the changes to some stati... Henry Zongaro
- Re: Please be aware of the changes to some s... Robert Koberg
- Re: Please be aware of the changes to some static va... Joseph Kesselman
