From 166be972646d822ece279f0690da39055dbd9fab Mon Sep 17 00:00:00 2001
From: Dominik Stadler <centic@apache.org>
Date: Wed, 4 Oct 2017 19:54:41 +0000
Subject: [PATCH] Bug 61564: Try to get rid of the Java 9 illegal access
 warning now that we run Java 8

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1811145 13f79535-47bb-0310-9956-ffa450edef68
---
 .../java/org/apache/poi/util/DocumentHelper.java  |  9 +++++++--
 src/ooxml/java/org/apache/poi/util/SAXHelper.java | 15 ++++++++++++++-
 .../org/apache/poi/util/TestSAXHelper.java        |  2 ++
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/src/ooxml/java/org/apache/poi/util/DocumentHelper.java b/src/ooxml/java/org/apache/poi/util/DocumentHelper.java
index f86e60fd90..569c5ff719 100644
--- a/src/ooxml/java/org/apache/poi/util/DocumentHelper.java
+++ b/src/ooxml/java/org/apache/poi/util/DocumentHelper.java
@@ -113,8 +113,8 @@ public final class DocumentHelper {
     
     private static void trySetXercesSecurityManager(DocumentBuilderFactory dbf) {
         // Try built-in JVM one first, standalone if not
-        for (String securityManagerClassName : new String[] {
-                "com.sun.org.apache.xerces.internal.util.SecurityManager",
+        for (String securityManagerClassName : new String[]{
+                //"com.sun.org.apache.xerces.internal.util.SecurityManager",
                 "org.apache.xerces.util.SecurityManager"
         }) {
             try {
@@ -124,10 +124,15 @@ public final class DocumentHelper {
                 dbf.setAttribute("http://apache.org/xml/properties/security-manager", mgr);
                 // Stop once one can be setup without error
                 return;
+            } catch (ClassNotFoundException e) {
+                // continue without log, this is expected in some setups
             } catch (Throwable e) {     // NOSONAR - also catch things like NoClassDefError here
                 logger.log(POILogger.WARN, "SAX Security Manager could not be setup", e);
             }
         }
+
+        // separate old version of Xerces not found => use the builtin way of setting the property
+        dbf.setAttribute("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit", 4096);
     }
 
     /**
diff --git a/src/ooxml/java/org/apache/poi/util/SAXHelper.java b/src/ooxml/java/org/apache/poi/util/SAXHelper.java
index fcd86e5099..81ab5599fc 100644
--- a/src/ooxml/java/org/apache/poi/util/SAXHelper.java
+++ b/src/ooxml/java/org/apache/poi/util/SAXHelper.java
@@ -95,7 +95,7 @@ public final class SAXHelper {
     private static void trySetXercesSecurityManager(XMLReader xmlReader) {
         // Try built-in JVM one first, standalone if not
         for (String securityManagerClassName : new String[] {
-                "com.sun.org.apache.xerces.internal.util.SecurityManager",
+                //"com.sun.org.apache.xerces.internal.util.SecurityManager",
                 "org.apache.xerces.util.SecurityManager"
         }) {
             try {
@@ -105,6 +105,8 @@ public final class SAXHelper {
                 xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr);
                 // Stop once one can be setup without error
                 return;
+            } catch (ClassNotFoundException e) {
+                // continue without log, this is expected in some setups
             } catch (Throwable e) {     // NOSONAR - also catch things like NoClassDefError here
                 // throttle the log somewhat as it can spam the log otherwise
                 if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) {
@@ -113,5 +115,16 @@ public final class SAXHelper {
                 }
             }
         }
+
+        // separate old version of Xerces not found => use the builtin way of setting the property
+        try {
+            xmlReader.setProperty("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit", 4096);
+        } catch (SAXException e) {     // NOSONAR - also catch things like NoClassDefError here
+            // throttle the log somewhat as it can spam the log otherwise
+            if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) {
+                logger.log(POILogger.WARN, "SAX Security Manager could not be setup [log suppressed for 5 minutes]", e);
+                lastLog = System.currentTimeMillis();
+            }
+        }
     }
 }
diff --git a/src/ooxml/testcases/org/apache/poi/util/TestSAXHelper.java b/src/ooxml/testcases/org/apache/poi/util/TestSAXHelper.java
index 6d3c038b4c..04f3a7a267 100644
--- a/src/ooxml/testcases/org/apache/poi/util/TestSAXHelper.java
+++ b/src/ooxml/testcases/org/apache/poi/util/TestSAXHelper.java
@@ -33,6 +33,8 @@ public class TestSAXHelper {
         assertNotSame(reader, SAXHelper.newXMLReader());
         assertTrue(reader.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING));
         assertEquals(SAXHelper.IGNORING_ENTITY_RESOLVER, reader.getEntityResolver());
+        assertNotNull(reader.getProperty("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit"));
+        assertEquals("4096", reader.getProperty("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit"));
         assertNotNull(reader.getProperty("http://apache.org/xml/properties/security-manager"));
 
         reader.parse(new InputSource(new ByteArrayInputStream("<xml></xml>".getBytes("UTF-8"))));
-- 
2.39.5