8356294: Enhance Path Factories

Reviewed-by: abakhtin, fferrari, andrew Backport-of: 5835cefe4946524af3be4933b20cd1b0005b0ad0
2025-12-11 01:00:23 -06:00 · 2025-09-03 01:40:28 +00:00 · 2025-09-03 01:40:28 +00:00 · 2c7f45612d
commit 2c7f45612d
parent 974f4da2e5
3 changed files with 23 additions and 1 deletions
--- a/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathFactoryImpl.java
+++ b/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathFactoryImpl.java
@ -184,6 +184,7 @@ public  class XPathFactoryImpl extends XPathFactory {
                if (value && _featureManager != null) {
                    _featureManager.setFeature(JdkXmlFeatures.XmlFeature.ENABLE_EXTENSION_FUNCTION,
                            JdkXmlFeatures.State.FSP, false);
+                    _xmlSecMgr.setSecureProcessing(value);
                }

                // all done processing feature
--- a/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImplUtil.java
+++ b/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImplUtil.java
@ -31,6 +31,7 @@ import com.sun.org.apache.xpath.internal.axes.LocPathIterator;
 import com.sun.org.apache.xpath.internal.objects.XObject;
 import com.sun.org.apache.xpath.internal.res.XPATHErrorResources;
 import java.io.IOException;
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@ -54,7 +55,7 @@ import org.xml.sax.SAXException;
 * This class contains several utility methods used by XPathImpl and
 * XPathExpressionImpl
 *
- * @LastModified: Jan 2022
+ * @LastModified: June 2025
 */
 class XPathImplUtil {
    XPathFunctionResolver functionResolver;
@ -130,6 +131,10 @@ class XPathImplUtil {
            // so we really have to create a fresh DocumentBuilder every time we need one
            // - KK
            DocumentBuilderFactory dbf = JdkXmlUtils.getDOMFactory(overrideDefaultParser);
+            if (xmlSecMgr != null && xmlSecMgr.isSecureProcessingSet()) {
+                dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
+                        xmlSecMgr.isSecureProcessing());
+            }
            return dbf.newDocumentBuilder().parse(source);
        } catch (ParserConfigurationException | SAXException | IOException e) {
            throw new XPathExpressionException (e);
--- a/src/java.xml/share/classes/jdk/xml/internal/XMLSecurityManager.java
+++ b/src/java.xml/share/classes/jdk/xml/internal/XMLSecurityManager.java
@ -189,6 +189,12 @@ public final class XMLSecurityManager {
     */
    boolean secureProcessing;

+    /**
+     * Flag indicating the secure processing is set explicitly through factories'
+     * setFeature method and then the setSecureProcessing method
+     */
+    boolean secureProcessingSet;
+
    /**
     * States that determine if properties are set explicitly
     */
@ -236,6 +242,7 @@ public final class XMLSecurityManager {
     * Setting FEATURE_SECURE_PROCESSING explicitly
     */
    public void setSecureProcessing(boolean secure) {
+        secureProcessingSet = true;
        secureProcessing = secure;
        for (Limit limit : Limit.values()) {
            if (secure) {
@ -254,6 +261,15 @@ public final class XMLSecurityManager {
        return secureProcessing;
    }

+    /**
+     * Returns the state indicating whether the Secure Processing is set explicitly,
+     * via factories' setFeature and then this class' setSecureProcessing method.
+     * @return the state indicating whether the Secure Processing is set explicitly
+     */
+    public boolean isSecureProcessingSet() {
+        return secureProcessingSet;
+    }
+
    /**
     * Set limit by property name and state
     * @param propertyName property name