SecurityManager.hpp Source File

00001 /*
00002  * The Apache Software License, Version 1.1
00003  *
00004  * Copyright (c) 2003 The Apache Software Foundation.  All rights
00005  * reserved.
00006  *
00007  * Redistribution and use in source and binary forms, with or without
00008  * modification, are permitted provided that the following conditions
00009  * are met:
00010  *
00011  * 1. Redistributions of source code must retain the above copyright
00012  *    notice, this list of conditions and the following disclaimer.
00013  *
00014  * 2. Redistributions in binary form must reproduce the above copyright
00015  *    notice, this list of conditions and the following disclaimer in
00016  *    the documentation and/or other materials provided with the
00017  *    distribution.
00018  *
00019  * 3. The end-user documentation included with the redistribution,
00020  *    if any, must include the following acknowledgment:
00021  *       "This product includes software developed by the
00022  *        Apache Software Foundation (http://www.apache.org/)."
00023  *    Alternately, this acknowledgment may appear in the software itself,
00024  *    if and wherever such third-party acknowledgments normally appear.
00025  *
00026  * 4. The names "Xerces" and "Apache Software Foundation" must
00027  *    not be used to endorse or promote products derived from this
00028  *    software without prior written permission. For written
00029  *    permission, please contact apache\@apache.org.
00030  *
00031  * 5. Products derived from this software may not be called "Apache",
00032  *    nor may "Apache" appear in their name, without prior written
00033  *    permission of the Apache Software Foundation.
00034  *
00035  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
00036  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
00037  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
00038  * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
00039  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
00040  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
00041  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
00042  * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
00043  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
00044  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
00045  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
00046  * SUCH DAMAGE.
00047  * ====================================================================
00048  *
00049  * This software consists of voluntary contributions made by many
00050  * individuals on behalf of the Apache Software Foundation, and was
00051  * originally based on software copyright (c) 1999, International
00052  * Business Machines, Inc., http://www.ibm.com .  For more information
00053  * on the Apache Software Foundation, please see
00054  * <http://www.apache.org/>.
00055  */
00056 
00057 /*
00058  * $Log: SecurityManager.hpp,v $
00059  * Revision 1.3  2004/01/29 11:48:46  cargilld
00060  * Code cleanup changes to get rid of various compiler diagnostic messages.
00061  *
00062  * Revision 1.2  2003/04/22 12:53:38  neilg
00063  * change const static member to an enum to make MSVC happy
00064  *
00065  * change ENTITY_EXPANSION_LIMIT from a static const data member to an enum
00066  * 
00067  * Revision 1.1  2003/04/17 21:58:49  neilg
00068  * Adding a new property,
00069  * http://apache.org/xml/properties/security-manager, with
00070  * appropriate getSecurityManager/setSecurityManager methods on DOM
00071  * and SAX parsers.  Also adding a new SecurityManager class.
00072  *
00073  * The purpose of these modifications is to permit applications a
00074  * means to have the parser reject documents whose processing would
00075  * otherwise consume large amounts of system resources.  Malicious
00076  * use of such documents could be used to launch a denial-of-service
00077  * attack against a system running the parser.  Initially, the
00078  * SecurityManager only knows about attacks that can result from
00079  * exponential entity expansion; this is the only known attack that
00080  * involves processing a single XML document.  Other, simlar attacks
00081  * can be launched if arbitrary schemas may be parsed; there already
00082  * exist means (via use of the EntityResolver interface) by which
00083  * applications can deny processing of untrusted schemas.  In future,
00084  * the SecurityManager will be expanded to take these other exploits
00085  * into account.
00086  *
00087  * Initial checkin of SecurityManager
00088  *
00089  * $Id: SecurityManager.hpp,v 1.3 2004/01/29 11:48:46 cargilld Exp $
00090  *
00091  */
00092 
00093 #ifndef SECURITYMANAGER_HPP
00094 #define SECURITYMANAGER_HPP
00095 
00096 #include <xercesc/util/XercesDefs.hpp>
00097 
00098 XERCES_CPP_NAMESPACE_BEGIN
00099 
00122 class  SecurityManager
00123 {
00124 public:
00125 
00126     enum { ENTITY_EXPANSION_LIMIT = 50000};
00127 
00131     SecurityManager()
00132         : fEntityExpansionLimit(ENTITY_EXPANSION_LIMIT)
00133     {        
00134     }
00135 
00137     virtual ~SecurityManager(){};   
00139 
00154     virtual void setEntityExpansionLimit(unsigned int newLimit) 
00155     {
00156         fEntityExpansionLimit = newLimit;
00157     }
00158 
00166     virtual unsigned int getEntityExpansionLimit() const
00167     { 
00168         return fEntityExpansionLimit;
00169     }
00171 
00172 protected:
00173     unsigned int fEntityExpansionLimit;
00174 
00175 private:
00176 
00177     /* Unimplemented Constructors and operators */
00178     /* Copy constructor */
00179     SecurityManager(const SecurityManager&);
00180     
00182     SecurityManager& operator=(const SecurityManager&);
00183 };
00184 
00185 XERCES_CPP_NAMESPACE_END
00186 
00187 #endif