8343001: Adjust XSLT and XPath Extension Function Property

Author: JoeWang-Java

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/res/XSLTErrorResources.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
  */
 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
@@ -31,7 +31,7 @@
  * Array. You also need to update MAX_CODE for error strings
  * and MAX_WARNING for warnings ( Needed for only information
  * purpose )
- * @LastModified: May 2022
+ * @LastModified: Dec 2024
  */
 public class XSLTErrorResources extends ListResourceBundle
 {
@@ -1197,7 +1197,10 @@ public Object[][] getContents()
       "Cannot set the feature ''{0}'' on this TransformerFactory."},
 
     { ER_EXTENSION_ELEMENT_NOT_ALLOWED_IN_SECURE_PROCESSING,
-          "Use of the extension element ''{0}'' is not allowed when the secure processing feature is set to true."},
+        "Use of the extension function ''{0}'' is not allowed when extension "
+              + "functions are disabled by the secure processing feature or "
+              + "the property ''jdk.xml.enableExtensionFunctions''. "
+              + "To enable extension functions, set ''jdk.xml.enableExtensionFunctions'' to ''true''."},
 
     { ER_NAMESPACE_CONTEXT_NULL_NAMESPACE,
       "Cannot get the prefix for a null namespace uri."},

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/compiler/FunctionCall.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
  */
 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
@@ -62,7 +62,7 @@
  * @author Morten Jorgensen
  * @author Erwin Bolwidt <[email protected]>
  * @author Todd Miller
- * @LastModified: Nov 2017
+ * @LastModified: Dec 2024
  */
 class FunctionCall extends Expression {
 
@@ -958,61 +958,58 @@ public boolean isExtension() {
      * after stripping its namespace or <code>null</code>
      * if no such methods exist.
      */
-    private List<Method> findMethods() {
+    private List<Method> findMethods() throws TypeCheckError {
 
-          List<Method> result = null;
-          final String namespace = _fname.getNamespace();
+        List<Method> result = null;
+        final String namespace = _fname.getNamespace();
 
-          if (_className != null && _className.length() > 0) {
+        if (_className != null && _className.length() > 0) {
             final int nArgs = _arguments.size();
             try {
                 if (_clazz == null) {
                     final boolean isSecureProcessing = getXSLTC().isSecureProcessing();
                     final boolean isExtensionFunctionEnabled = getXSLTC()
                             .getFeature(JdkXmlFeatures.XmlFeature.ENABLE_EXTENSION_FUNCTION);
 
-                    //Check if FSP and SM - only then process with loading
-                    if (namespace != null && isSecureProcessing
-                            && isExtensionFunctionEnabled
-                            && (namespace.startsWith(JAVA_EXT_XALAN)
-                            || namespace.startsWith(JAVA_EXT_XSLTC)
-                            || namespace.startsWith(JAVA_EXT_XALAN_OLD)
-                            || namespace.startsWith(XALAN_CLASSPACKAGE_NAMESPACE))) {
-                        _clazz = getXSLTC().loadExternalFunction(_className);
+                    // the property has the precedence
+                    if (isExtensionFunctionEnabled) {
+                        if (getXSLTC().hasExtensionClassLoader()) {
+                            _clazz = getXSLTC().loadExternalFunction(_className);
+                        } else {
+                            _clazz = ObjectFactory.findProviderClass(_className, true);
+                        }
+                        if (_clazz == null) {
+                            final ErrorMsg msg
+                                    = new ErrorMsg(ErrorMsg.CLASS_NOT_FOUND_ERR, _className);
+                            getParser().reportError(Constants.ERROR, msg);
+                            return null;
+                        }
                     } else {
-                        _clazz = ObjectFactory.findProviderClass(_className, true);
+                        throw new TypeCheckError(ErrorMsg.UNSUPPORTED_EXT_FUNC_ERR, _className);
                     }
-
-                if (_clazz == null) {
-                  final ErrorMsg msg =
-                        new ErrorMsg(ErrorMsg.CLASS_NOT_FOUND_ERR, _className);
-                  getParser().reportError(Constants.ERROR, msg);
                 }
-              }
-
-              final String methodName = _fname.getLocalPart();
-              final Method[] methods = _clazz.getMethods();
-
-              for (int i = 0; i < methods.length; i++) {
-                final int mods = methods[i].getModifiers();
-                // Is it public and same number of args ?
-                if (Modifier.isPublic(mods)
-                    && methods[i].getName().equals(methodName)
-                    && methods[i].getParameterTypes().length == nArgs)
-                {
-                  if (result == null) {
-                    result = new ArrayList<>();
-                  }
-                  result.add(methods[i]);
+
+                final String methodName = _fname.getLocalPart();
+                final Method[] methods = _clazz.getMethods();
+
+                for (int i = 0; i < methods.length; i++) {
+                    final int mods = methods[i].getModifiers();
+                    // Is it public and same number of args ?
+                    if (Modifier.isPublic(mods)
+                            && methods[i].getName().equals(methodName)
+                            && methods[i].getParameterTypes().length == nArgs) {
+                        if (result == null) {
+                            result = new ArrayList<>();
+                        }
+                        result.add(methods[i]);
+                    }
                 }
-              }
-            }
-            catch (ClassNotFoundException e) {
-                  final ErrorMsg msg = new ErrorMsg(ErrorMsg.CLASS_NOT_FOUND_ERR, _className);
-                  getParser().reportError(Constants.ERROR, msg);
+            } catch (ClassNotFoundException e) {
+                final ErrorMsg msg = new ErrorMsg(ErrorMsg.CLASS_NOT_FOUND_ERR, _className);
+                getParser().reportError(Constants.ERROR, msg);
             }
-          }
-          return result;
+        }
+        return result;
     }
 
     /**

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/compiler/XSLTC.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2024, Oracle and/or its affiliates. All rights reserved.
  */
 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
@@ -57,7 +57,7 @@
  * @author G. Todd Miller
  * @author Morten Jorgensen
  * @author John Howard ([email protected])
- * @LastModified: Jan 2022
+ * @LastModified: Dec 2024
  */
 public final class XSLTC {
 
@@ -291,6 +291,10 @@ private void setExternalExtensionFunctions(String name, Class<?> clazz) {
         }
     }
 
+    boolean hasExtensionClassLoader() {
+        return _extensionClassLoader != null;
+    }
+
     /*
      * Function loads an external extension function.
      * The filtering of function types (external,internal) takes place in FunctionCall class

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages.java

@@ -24,7 +24,7 @@
 
 /**
  * @author Morten Jorgensen
- * @LastModified: Nov 2024
+ * @LastModified: Dec 2024
  */
 public class ErrorMessages extends ListResourceBundle {
 
@@ -552,6 +552,15 @@ public Object[][] getContents()
         {ErrorMsg.DATA_CONVERSION_ERR,
         "Cannot convert data-type ''{0}'' to ''{1}''."},
 
+        /*
+         * Note to translators:  property name "jdk.xml.enableExtensionFunctions"
+         * and value "true" should not be translated.
+         */
+        {ErrorMsg.UNSUPPORTED_EXT_FUNC_ERR,
+        "Use of the extension function ''{0}'' is not allowed when extension "
+              + "functions are disabled by the secure processing feature or "
+              + "the property ''jdk.xml.enableExtensionFunctions''. "
+              + "To enable extension functions, set ''jdk.xml.enableExtensionFunctions'' to ''true''."},
         /*
          * Note to translators:  "Templates" is a Java class name that should
          * not be translated.

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMsg.java

@@ -33,7 +33,7 @@
  * @author G. Todd Miller
  * @author Erwin Bolwidt <[email protected]>
  * @author Morten Jorgensen
- * @LastModified: Nov 2024
+ * @LastModified: Dec 2024
  */
 public final class ErrorMsg {
 
@@ -105,6 +105,7 @@ public final class ErrorMsg {
     public static final String ATTR_VAL_TEMPLATE_ERR = "ATTR_VAL_TEMPLATE_ERR";
     public static final String UNKNOWN_SIG_TYPE_ERR = "UNKNOWN_SIG_TYPE_ERR";
     public static final String DATA_CONVERSION_ERR = "DATA_CONVERSION_ERR";
+    public static final String UNSUPPORTED_EXT_FUNC_ERR = "UNSUPPORTED_EXT_FUNC_ERR";
 
     // JAXP/TrAX error messages
     public static final String NO_TRANSLET_CLASS_ERR = "NO_TRANSLET_CLASS_ERR";

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/runtime/ErrorMessages.java

@@ -1,6 +1,5 @@
 /*
- * reserved comment block
- * DO NOT REMOVE OR ALTER!
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
  */
 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
@@ -25,6 +24,7 @@
 
 /**
  * @author Morten Jorgensen
+ * @LastModified: Dec 2024
  */
 public class ErrorMessages extends ListResourceBundle {
 
@@ -275,10 +275,16 @@ public Object[][] getContents()
         "An attribute whose value must be an NCName had the value ''{0}''"},
 
         {BasisLibrary.UNALLOWED_EXTENSION_FUNCTION_ERR,
-        "Use of the extension function ''{0}'' is not allowed when the secure processing feature is set to true."},
+        "Use of the extension function ''{0}'' is not allowed when extension "
+              + "functions are disabled by the secure processing feature or "
+              + "the property ''jdk.xml.enableExtensionFunctions''. "
+              + "To enable extension functions, set ''jdk.xml.enableExtensionFunctions'' to ''true''."},
 
         {BasisLibrary.UNALLOWED_EXTENSION_ELEMENT_ERR,
-        "Use of the extension element ''{0}'' is not allowed when the secure processing feature is set to true."},
+        "Use of the extension function ''{0}'' is not allowed when extension "
+              + "functions are disabled by the secure processing feature or "
+              + "the property ''jdk.xml.enableExtensionFunctions''. "
+              + "To enable extension functions, set ''jdk.xml.enableExtensionFunctions'' to ''true''."},
     };
     }
 

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java

@@ -75,7 +75,6 @@
 import jdk.xml.internal.JdkXmlUtils;
 import jdk.xml.internal.JdkProperty.ImplPropMap;
 import jdk.xml.internal.JdkProperty.State;
-import jdk.xml.internal.SecuritySupport;
 import jdk.xml.internal.TransformErrorListener;
 import jdk.xml.internal.XMLSecurityManager;
 import org.xml.sax.InputSource;
@@ -88,7 +87,7 @@
  * @author G. Todd Miller
  * @author Morten Jorgensen
  * @author Santiago Pericas-Geertsen
- * @LastModified: Nov 2024
+ * @LastModified: Dec 2024
  */
 public class TransformerFactoryImpl
     extends SAXTransformerFactory implements SourceLoader
@@ -216,7 +215,7 @@ public PIParamWrapper(String media, String title, String charset) {
     /**
      * <p>State of secure processing feature.</p>
      */
-    private boolean _isNotSecureProcessing = true;
+    private boolean _isNotSecureProcessing = false;
     /**
      * <p>State of secure mode.</p>
      */

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2024, Oracle and/or its affiliates. All rights reserved.
  */
 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
@@ -100,7 +100,7 @@
  * @author Morten Jorgensen
  * @author G. Todd Miller
  * @author Santiago Pericas-Geertsen
- * @LastModified: July 2023
+ * @LastModified: Dec 2024
  */
 public final class TransformerImpl extends Transformer
     implements DOMCache
@@ -206,7 +206,7 @@ public final class TransformerImpl extends Transformer
     /**
      * State of the secure processing feature.
      */
-    private boolean _isSecureProcessing = false;
+    private boolean _isSecureProcessing = true;
 
     /**
      * Indicates whether 3rd party parser may be used to override the system-default
@@ -292,6 +292,7 @@ protected TransformerImpl(Translet translet, Properties outputProperties,
         _propertiesClone = (Properties) _properties.clone();
         _indentNumber = indentNumber;
         _tfactory = tfactory;
+        _isSecureProcessing = _tfactory.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING);
         _overrideDefaultParser = _tfactory.overrideDefaultParser();
         _accessExternalDTD = (String)_tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_DTD);
         _securityManager = (XMLSecurityManager)_tfactory.getAttribute(JdkConstants.SECURITY_MANAGER);

src/java.xml/share/classes/jdk/xml/internal/JdkXmlFeatures.java

@@ -52,7 +52,7 @@ public static enum XmlFeature {
          * function is disabled.
          */
         ENABLE_EXTENSION_FUNCTION(ImplPropMap.ENABLEEXTFUNC, null, null, true,
-                null, null, true, false, true, true),
+                null, null, false, false, true, true),
         /**
          * The {@link javax.xml.XMLConstants.USE_CATALOG} feature.
          * FSP: USE_CATALOG is not enforced by FSP.
@@ -382,13 +382,7 @@ public int getIndex(String propertyName) {
      */
     private void readSystemProperties() {
         for (XmlFeature feature : XmlFeature.values()) {
-            if (!getSystemProperty(feature, feature.systemProperty())) {
-                //if system property is not found, try the older form if any
-                String oldName = feature.systemPropertyOld();
-                if (oldName != null) {
-                    getSystemProperty(feature, oldName);
-                }
-            }
+            getSystemProperty(feature, feature.systemProperty());
         }
     }
 
@@ -402,6 +396,11 @@ private void readSystemProperties() {
     private boolean getSystemProperty(XmlFeature feature, String sysPropertyName) {
         try {
             String value = System.getProperty(sysPropertyName);
+            if (value == null && feature.systemPropertyOld() != null) {
+                // legacy system property
+                value = System.getProperty(feature.systemPropertyOld());
+            }
+
             if (value != null && !value.isEmpty()) {
                 setFeature(feature, State.SYSTEMPROPERTY, Boolean.parseBoolean(value));
                 return true;

src/java.xml/share/conf/jaxp.properties

@@ -57,11 +57,10 @@
 # Extension Functions:
 #
 # This property determines whether XSLT and XPath extension functions are allowed.
-# The value type is boolean and the default value is true (allowing
-# extension functions). The following entry overrides the default value and
-# disallows extension functions:
+# The value type is boolean and the default value is false (disallowing
+# extension functions).
 #
-# jdk.xml.enableExtensionFunctions=false
+jdk.xml.enableExtensionFunctions=false
 #
 #
 # Overriding the default parser: