SecurityManager.hpp Source File

00001 /*
00002  * The Apache Software License, Version 1.1
00003  *
00004  * Copyright (c) 2003 The Apache Software Foundation.  All rights
00005  * reserved.
00006  *
00007  * Redistribution and use in source and binary forms, with or without
00008  * modification, are permitted provided that the following conditions
00009  * are met:
00010  *
00011  * 1. Redistributions of source code must retain the above copyright
00012  *    notice, this list of conditions and the following disclaimer.
00013  *
00014  * 2. Redistributions in binary form must reproduce the above copyright
00015  *    notice, this list of conditions and the following disclaimer in
00016  *    the documentation and/or other materials provided with the
00017  *    distribution.
00018  *
00019  * 3. The end-user documentation included with the redistribution,
00020  *    if any, must include the following acknowledgment:
00021  *       "This product includes software developed by the
00022  *        Apache Software Foundation (http://www.apache.org/)."
00023  *    Alternately, this acknowledgment may appear in the software itself,
00024  *    if and wherever such third-party acknowledgments normally appear.
00025  *
00026  * 4. The names "Xerces" and "Apache Software Foundation" must
00027  *    not be used to endorse or promote products derived from this
00028  *    software without prior written permission. For written
00029  *    permission, please contact apache\@apache.org.
00030  *
00031  * 5. Products derived from this software may not be called "Apache",
00032  *    nor may "Apache" appear in their name, without prior written
00033  *    permission of the Apache Software Foundation.
00034  *
00035  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
00036  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
00037  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
00038  * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
00039  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
00040  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
00041  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
00042  * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
00043  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
00044  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
00045  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
00046  * SUCH DAMAGE.
00047  * ====================================================================
00048  *
00049  * This software consists of voluntary contributions made by many
00050  * individuals on behalf of the Apache Software Foundation, and was
00051  * originally based on software copyright (c) 1999, International
00052  * Business Machines, Inc., http://www.ibm.com .  For more information
00053  * on the Apache Software Foundation, please see
00054  * <http://www.apache.org/>.
00055  */
00056 
00057 /*
00058  * $Log: SecurityManager.hpp,v $
00059  * Revision 1.2  2003/04/22 12:53:38  neilg
00060  * change const static member to an enum to make MSVC happy
00061  *
00062  * change ENTITY_EXPANSION_LIMIT from a static const data member to an enum
00063  * 
00064  * Revision 1.1  2003/04/17 21:58:49  neilg
00065  * Adding a new property,
00066  * http://apache.org/xml/properties/security-manager, with
00067  * appropriate getSecurityManager/setSecurityManager methods on DOM
00068  * and SAX parsers.  Also adding a new SecurityManager class.
00069  *
00070  * The purpose of these modifications is to permit applications a
00071  * means to have the parser reject documents whose processing would
00072  * otherwise consume large amounts of system resources.  Malicious
00073  * use of such documents could be used to launch a denial-of-service
00074  * attack against a system running the parser.  Initially, the
00075  * SecurityManager only knows about attacks that can result from
00076  * exponential entity expansion; this is the only known attack that
00077  * involves processing a single XML document.  Other, simlar attacks
00078  * can be launched if arbitrary schemas may be parsed; there already
00079  * exist means (via use of the EntityResolver interface) by which
00080  * applications can deny processing of untrusted schemas.  In future,
00081  * the SecurityManager will be expanded to take these other exploits
00082  * into account.
00083  *
00084  * Initial checkin of SecurityManager
00085  *
00086  * $Id: SecurityManager.hpp,v 1.2 2003/04/22 12:53:38 neilg Exp $
00087  *
00088  */
00089 
00090 #ifndef SECURITYMANAGER_HPP
00091 #define SECURITYMANAGER_HPP
00092 
00093 #include <xercesc/util/XercesDefs.hpp>
00094 
00095 XERCES_CPP_NAMESPACE_BEGIN
00096 
00119 class  SecurityManager
00120 {
00121 public:
00122 
00123     enum { ENTITY_EXPANSION_LIMIT = 50000};
00124 
00128     SecurityManager()
00129     {
00130         fEntityExpansionLimit = ENTITY_EXPANSION_LIMIT; 
00131     }
00132 
00134     virtual ~SecurityManager(){};   
00136 
00151     virtual void setEntityExpansionLimit(unsigned int newLimit) 
00152     {
00153         fEntityExpansionLimit = newLimit;
00154     }
00155 
00163     virtual unsigned int getEntityExpansionLimit() const
00164     { 
00165         return fEntityExpansionLimit;
00166     }
00168 
00169 protected:
00170     unsigned int fEntityExpansionLimit;
00171 
00172 private:
00173 
00174     /* Unimplemented Constructors and operators */
00175     /* Copy constructor */
00176     SecurityManager(const SecurityManager&);
00177     
00179     SecurityManager& operator=(const SecurityManager&);
00180 };
00181 
00182 XERCES_CPP_NAMESPACE_END
00183 
00184 #endif